Sites that deal with credit cards can have some sloppy practices. Not through malicious intent, but it’s sloppy nevertheless so it should be addressed. There are potential fraud and identity theft issues at stake, and any self-respecting site will want to be seen to be respecting their clients!
First, a real-world story. Read Using expired credit cards
The key lesson from there is that simply abiding by what payment gateways, banks and other credit card providers require does not make your payment system good. While it is hoped that those organisations also clean up their processes a bit, you can meanwhile make sure that you do the right thing by your clients regardless of that.
First of all, ensure that all pages and all page-items (CSS, images, scripts, form submit destinations, etc) as well as payment gateway communications go over HTTPS. Having some aspects of payment/checkout/profile pages not over HTTPS will show up in browsers, and it looks very sloppy indeed. Overall, you are encouraged to just make your entire site run over HTTPS. But if you use any external sources for scripts, images or other content, that too needs to be checked as it can cause potential leaks in your site security on the browser end.
For the credit card processing, here are a few tips for what you can do from your end:
- DO NOT store credit card details. Good payment gateways work with a token system, so you can handle recurring payments and clients can choose to have their card kept on file, but you don’t have it. After all, data you don’t have, cannot be leaked or stolen.
- DO NOT check credit card number validity before submitting to the payment gateway, i.e. don’t apply the Luhn check. We wrote about this over a decade ago, but it’s still relevant: Lunn algorithm (credit card number check). In a nutshell, if you do pre-checks, the payment gateway gets less data and might miss fraud attempts.
- Check that your payment gateway requires the CVV field, and checks it. If it doesn’t do this, the gateway will be bad at fraud prevention: have them fix it, or move to another provider.
- Check that your payment gateway does not allow use of expired cards, not even for recurring payments using cards-on-file. This is a bit more difficult to check (since you don’t want to be storing credit card details locally) and you may only find out over time, but try to make this effort. It is again an issue that can otherwise harm your clients.
If you have positive confirmation that your payment gateway does the right thing, please let us know! It will help others. Thanks.