Accepting payments online

If you collect online payments from customers, there are a few important steps you need to take to make sure that information is protected.

Many more businesses are embracing e-commerce these days, by selling  their products and services online. Putting your business online is like opening a new store that can be visited by anyone around the world. This not only enables you to reach more customers, it also creates more opportunities for online criminals.

E-commerce websites are often targeted by attackers because they want to get customers' payment data to commit fraud. As your customers will need to provide personal and payment information when buying things from you online, this can make your site more of a target.

This guide will help you understand what you need to do in order to get your business online, while keeping your e-commerce website safe and secure, and protecting your customers' information.  

Understand what you need

Before making changes to your business operations to allow you to collect payments from customers online, it's important to understand what's required. Below are some things you'll need to put in place.

An online store or e-commerce system

You might already have a website for marketing, and now your business is growing and you want to add an online shopping cart. This part of your website needs to be well-built and secure as makes it a prime target for cyber attackers. Because of this added risk, it's important to do your due diligence as not all online stores are created equal. Your first decision is whether you want a custom-made e-commerce system or an off-the-shelf product.

There are many well-tested off-the-shelf options for online shopping carts (such as Shopify, Squarespace, or Wix). These dedicated e-commerce companies continually update their software to respond to evolving risks.

If you choose to have an e-commerce system custom-made for your website, make sure you understand what security features this will offer. Although they'll be the ones doing the technical work, you'll be responsible for keeping your customers' information safe.

Risk assessments for your business

If you plan to use an IT service provider to create or recommend your e-commerce system, our guide on choosing an IT service provider will help you ask the relevant questions.

Choosing an IT service provider

Payment gateway

A payment gateway allows you to accept online payments. There are important security and compliance factors for each payment type (e.g. credit/debit card vs. bank transfer) that you need to consider. We encourage you to get in touch with your bank to discuss payment gateway options.

Off-the-shelf e-commerce systems are often limited to certain payment gateways. Talk to your IT service provider about which payment gateway your e-commerce system can integrate with.

Security standards for handling credit cards

The Payment Card Industry has a security standard for businesses who accept credit cards that covers how to handle the data. It's called the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS provides the minimum standard for website payment security - an important factor in processing credit card payments online.

By using a PCI-compliant service provider and by implementing the measures in your business, you significantly reduce your risk of suffering an online attack. The PCI DSS controls are useful to implement in other areas of your business too.


PCI DSS requirements

Build and maintain a secure network

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters. 

Protect cardholder data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program

  • Use and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications.

Implement strong access control measures

  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to network resources and cardholder data.

Regularly test and monitor networks

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Maintain an information security policy

  • Maintain a policy that addresses information security for employees and contractors.

Our Critical Controls show how these principles apply to other areas of your business.

CERT NZ Top Critical Controls

PCI security standards External Link  

Incident response plan

Moving to an online store introduces new risks to your business. You'll  need to have a plan in case the worst happens. Just like other emergency response plans (such as what to do in the event of a fire or earthquake), this plan should detail contact points, response timelines and procedures in the event of an online attack. If you don't already have an incident response plan, check out our guide on how to make one.

Developing an incident response plan

Train your team

Bring your team along with you on the cyber security journey. If they're clear on your business' policies and procedures, and how to follow them, there's less chance a cyber attack will be successful.

Cyber security awareness for your staff

Secure your online store

Businesses might think that, because they're in New Zealand and not an international corporation, they won't be targeted by online criminals.  Cyber attackers care less about the size or location of a business, and more about how easy it is to deploy their attacks. They'll often use tools to scan for outdated and unsupported software with vulnerabilities that make it easier them to get in.

Some off-the-shelf website solutions are updated by their vendors, which means you don't have to worry about doing it yourself. You still need to update software in other areas of your business, however. If you're using an IT service provider, don't assume they're keeping your website up to date. Make sure they regularly check for, and implement, updates.

When you're ready to start creating or updating your website, there are some things you need to make sure are in place. CERT NZ has a checklist that covers the best practice measures to protect your website. Following this practical advice is particularly important when you are using a website for sensitive functions, such as online payments or collecting customers' data.

Share this checklist with your IT service provider or check that the software you're using meets these recommendations.

Top tips to protect your website

Get in touch with your bank

After you have taken inventory of what you have and what you need, contact your bank.

Banks regularly work with businesses to help them establish their e-commerce systems. They often have guides explaining how they can help. They can also refer you to the relevant people for more information on:

  • payment gateways
  • fees relating to receiving online payments
  • handling online refunds, chargebacks, and payment disputes
  • PCI-DSS compliance.

Read your bank's guide to business payments: