Network security
Te whakaae i ngā utu ā-tuihono

Accept payments online securely

If you collect online payments from customers, there are a few important steps you need to take to make sure their payment data is protected.

The risks

Putting your business online is like opening a new store that can be visited by anyone around the world. This enables you to reach more customers, but it also creates more opportunities for online criminals.

E-commerce websites are often targeted by attackers because they want to get customers' personal and payment data to commit .

This guide will help you understand what you need to do to:

  • get your business accepting payments online
  • keep your website safe and secure, and
  • protect your customers' information.

How to protect your business

  • Understand what you need

    Here are some things you'll need to put in place to allow you to collect payments from customers online.

    An online store or e-commerce system

    If you're adding a shopping cart to your website, it needs to be well-built and secure as it will make your site a prime target for online attackers.

    You'll need to choose either:

    • an off-the-shelf online shopping cart (for example, Shopify, Squarespace or Wix) – these dedicated e-commerce companies continually update their software to respond to evolving risks
    • have an e-commerce system custom-made for your website – make sure you understand the security features your IT service provider will include.

    If you plan to use an IT service provider to create or recommend your e-commerce system, our guide on choosing an IT service provider will help you ask the relevant questions. Although they'll be the ones doing the technical work, you'll be responsible for keeping your customers' information safe.

    Choosing an IT service provider

    A payment gateway

    A payment gateway allows you to accept online payments. Each payment type (credit card, debit card, bank transfer) has important security and compliance factors that you need to consider. We recommend that you get in touch with your bank to discuss payment gateway options.

  • Security standards for handling credit cards

    The Payment Card Industry has a security standard for businesses who accept credit cards that covers how to handle the data. It's called the Payment Card Industry Data Security Standard (PCI DSS) and it sets the minimum standard for website payment security.

    By using a PCI-compliant service provider and by implementing the measures in your business, you significantly reduce your risk of suffering an online attack. 

    GOALS

    PCI DSS REQUIREMENTS

    Build and maintain a secure

    • Install and maintain a configuration to protect cardholder data.
    • Do not use vendor-supplied defaults for system passwords and other security parameters.

    Protect cardholder data

    • Protect stored cardholder data.
    • Encrypt transmission of cardholder data across open, public networks.

    Maintain a management program

    • Use and regularly update or programs.
    • Develop and maintain secure systems and applications.

    Implement strong access control measures

    • Restrict access to cardholder data by business need-to-know.
    • Assign a unique ID to each person with computer access.
    • Restrict physical access to network resources and cardholder data.

    Regularly test and monitor networks

    • Track and monitor all access to network resources and cardholder data.
    • Regularly test security systems and processes.

    Maintain an information security policy

    • Maintain a policy that addresses information security for employees and contractors.

    CERT NZ's Critical Controls show how these principles can apply to other areas of your business, too.

    Top Critical Controls(external link) – CERT NZ

    PCI security standards(external link) – PCI Security Standards Council

  • Train your team

    Bring your team along with you on the cyber security journey. If they're clear on your business' policies and procedures, and how to follow them, there's less chance a cyber attack will be successful.

    Educate your staff about online security

  • Secure your online store

    We have a checklist that covers the best practice measures to protect your website. Following this practical advice is particularly important when you're using a website for things like accepting online payments or collecting customers' data.

    If you're using an IT service provider, share this checklist with them to ensure that the software you're using meets the recommendations.

    Protect your website

You might think that online criminals would be less likely to target your small business in New Zealand than an international corporation, but attackers care more about how easy it is to deploy their attacks than about the size or location of a business.

Get help

Talk to your bank for advice

After you've taken inventory of what you have and what you need, contact your bank. Banks regularly work with businesses to help them establish their e-commerce systems.

They often have guides explaining how they can help. They can also refer you to the relevant people for more information on:

  • payment
  • fees relating to receiving online payments
  • handling online refunds, chargebacks, and payment disputes
  • PCI-DSS compliance.

Read your bank's guide to business payments:

ANZ(external link)

ASB(external link)

BNZ(external link)

Kiwibank(external link)

Westpac(external link)

Get help with online security issues

If you’ve experienced an online security issue, your first step is to contact the service provider.

You can also report an online issue or security incident to us at CERT NZ.

Get help now