Accepting payments online

If you collect online payments from customers, there are a few important steps you need to take to make sure that information is protected.

Many more businesses are embracing e-commerce these days, by selling – or beginning to sell – their products and services online. Putting your business online is like opening a new store that can be visited by anyone around the world. This not only enables you to reach more customers, it also creates more opportunities for online criminals.

E-commerce websites are often targeted by attackers because they want to get customers' payment data to commit fraud. As your customers will need to provide personal and payment information when buying things from you online, this can make your site more of a target.

This guide will help you understand what you need to do in order to get your business online, while keeping your e-commerce website safe and secure, and protecting your customers' information.  

Understand what you need

Before you make any changes to your business operations, understand what you need to get started. In order to collect payments from customers online, there are a few things you will need.

An online store or e-commerce system

You might already have a website for marketing, and now your business is growing and you want to add an online shopping cart. This part of your website needs to be well-built and secure as makes it a prime target for cyber attackers. Because of this added risk, it's important to do your due diligence as not all online stores are created equal. Your first decision is whether you want a custom-made e-commerce system or an off-the-shelf product.

There are many well-tested off-the-shelf options for online shopping carts (such as Shopify, Squarespace, or Wix). These dedicated e-commerce companies continually update their software to respond to evolving risks.

If you choose to have an e-commerce system custom-made for your website, make sure you understand what security features this will offer. Although they'll be the ones doing the technical work, you'll be responsible for keeping your customers' information safe.

Risk assessments for your business

If you plan to use an IT service provider to create or recommend your e-commerce system, our guide on choosing an IT service provider should help you ask the relevant questions.

Choosing an IT service provider

Payment gateway

A payment gateway allows you to accept online payments. There are important security and compliance factors for each payment type (e.g. credit/debit card vs. bank transfer) that you need to consider. We encourage you to get in touch with your bank to discuss payment gateway options.

Off-the-shelf e-commerce systems are often limited to certain payment gateways. Talk to your IT service provider about which payment gateway your e-commerce system can integrate with.

Security standards for handling credit cards

The Payment Card Industry has a security standard for businesses who accept credit cards which covers how to handle the data. It's called the Payment Card Industry Data Security Standard (PCI DSS). It provides the minimum standard for website payment security which is very important for processing credit card payments online.

By using a PCI compliant service provider and by implementing the measures in your business you significantly reduce your risk of suffering an online attack. The requirements in the PCI security standard are controls that are useful to implement in other areas of your business.


PCI DSS requirements

Build and maintain a secure network

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program

  • Use and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.

Implement strong access control measures

  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to network resources and cardholder data.

Regularly test and monitor networks

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Maintain an information security policy

  • Maintain a policy that addresses information security for employees and contractors.

Our Critical Controls show how these principles apply to other areas of your business.

CERT NZ Top Critical Controls

PCI security standards External Link  

Incident response plan

Moving to an online store is a big shift in risk for your business. You'll face new risks by moving online and need to have a plan in case the worst happens. Just like other emergency response plans (what to do in a fire or bomb threat) this plan should detail contact points, response timelines and procedures in the event of an online attack. If you don't already have an incident response plan, check our guide on how to make one.

Developing an incident response plan

Train your team

Bring your team along with you on the cyber security journey. Teaching best practice and your business' policies will reduce the risk of a successful cyber attack.

Cyber security awareness for your staff

Secure your online store

Businesses might think that because they're in New Zealand or aren't an international corporation, then they won't be targeted for online criminals.  Cyber attackers care less about the size or location of a business, and more about how easy it is to deploy their attacks. They will often use tools to scan for outdated and unsupported software which may have vulnerabilities to make it easier for attackers to get in.

Some off-the-shelf website solutions are updated by their vendors, which means you don't have to worry about keeping them patched. You still need to update software in other areas of your business. If you are using an IT service provider, don't assume that they are keeping your website up to date. Make sure that they regularly check for and implement updates.

When you're ready to start creating or updating your website, there are some things you need to make sure are in place. CERT NZ has a checklist that covers the best practice measures you need to consider to protect your website.  Following this practical advice is particularly important when you are using a website for sensitive functions, such as payments or collecting customers' data.

Share this checklist with your IT service provider or check that the software you're using meets these recommendations.

Top tips to protect your website

Get in touch with your bank

After you have taken inventory of what you have and what you need, contact your bank.

Banks regularly work with businesses to help them establish their e-commerce systems. They often have guides explaining how they can help. They can also refer you to the relevant people for more information on:

  • payment gateways
  • fees relating to receiving online payments
  • handling online refunds, chargebacks, and payment disputes
  • PCI-DSS compliance.

Read your bank's guide to business payments: