The Evolution of Online Payment Security: Past, Present, and Future

Online payment security is all about trust. Without trust, no one would use the financial ecosystem. Think of a customer who only experiences rampant fraud every time they use their credit card. If there is no security, there is no market.  

So how have we managed to protect the payment industry? Well, it's been a non-stop task since day one (a task which Chargeflow is proud to continue). Each time a new threat emerges, security teams adopt a new defense. Since the first electronic transfers, we've gone head to head with fraudsters and criminals, evolving new measures to protect our users.

Let's walk through the history of payment security to visualize the protective efforts of online payment security.  

The Early Days of Online Payments

Online payments started with the emergence of eCommerce. Think eBay or Amazon. These internet-based marketplaces offered a new way to sell products.

But digital selling also requires digital ways to accept payments. That caused a demand for virtual payment terminals. And so payment service providers (PSPs) arrived with digital solutions, one of the most popular being PayPal or a chargeback process through their credit card companies.

Payment providers allowed users to link their bank accounts and credit cards to make payments. Of course, these services brought up security concerns. How could you verify that the correct user initiated a payment? What if someone hacked an account or got ahold of a password? And how could you protect financial information while it was in transit?

In response, payment security adapted. For example, email verification helped confirm the user. Strong passwords defended against login scams. And most notably, security firms turned to encryption. First developed in 1995, Netscape developed Secure Socket Layer (SSL) to encrypt data across the web and authenticate the users. It provided the basis for Transport Layer Security (TLS) encryption, which we still use today.

The Rise of eCommerce and Payment Gateways

eCommerce continued to thrive during the late 1990s and early 2000s. Which is actually quite remarkable, as much of the hype about the internet faded with the dot.com bubble crash. When the bubble burst, many considered eCommerce dead on arrival.

Yet a few platforms survived, this time with some much-needed changes. Brands like Amazon, Shopify, Netflix, and Zappos began to integrate all the distinct parts of the digital marketplace into a working whole. Things like inventory had to work with order fulfillment, and both had to connect with global payment acceptance. We started to build out the necessary eCommerce infrastructure.  

Of course, fraudsters took notice of these new digital areas of attack. Customer management systems are hackable. So are shopping carts and novel checkout processes. Payment card fraud began to pose a significant problem, along with internet-based scams and phishing. One of the most famous included a Denial of Service Attack in February 2000 on Yahoo!, CNN.com, eBay, and Amazon.

Advancements in Encryption and Authentication

Once again, payment security adapted. We needed to fortify online payments in the face of these new threats. As a result, the industry created several tools and techniques, such as:

• 3D Secure: Visa and Mastercard implemented a secondary security protocol known as 3D Secure. In certain risky payment situations, the card issuers could ask for a second proof like a password or PIN. It's a smart extra step that can confirm if a card user is who they said they are.
• Tokenization: Security teams substituted random tokens in place of sensitive data. A bunch of scrambled tokens are useless to hackers. That helps reduce the risk and financial fallout of data breaches or hacks.
• Payment card features: Payment gateways started to compare user data to verify online payments. They used systems like Address Verification (AVS) and Card security codes (CVV) as additional security checks when someone used a credit card for an online purchase.
• Multi-Factor Authentication (MFA): If accounts held sensitive financial data, companies began requesting at least two items of proof. Each user must present data from at least two of three categories: something you know, something you have, and something you are. MFA is still a prominent defense tactic today.  
• Biometrics: With the advancement of technology, security teams started to verify users with aspects of their body (fingers, face, etc). Unique attributes are much harder to copy or hack than a password.  

Regulations and Compliance Standards

By this time, payment security started to grow unwieldy. Think of how complicated it is to match security practices between different countries and governments. Or consider the distinct approaches a bank, a card brand, or a payment gateway will have toward data protection. Some players might have higher or lower standards of security than others. Others might have more resources and access to better technology.

Such a mix lacks consistency. And that makes the industry vulnerable. Fraudsters could exploit our lack of communication. We needed unified strategies (or the more official word: secure interoperability).

That led several governments and organizations to enact regulations such as:

• Payment Card Industry Data Security Standard (PCI DSS) - Rules for managing card data
• Directive on Payment Services (PSD): Consumer protections on electronic payments across the entire European Union
• Fair and Accurate Credit Transactions Act (FACTA): Provisions on the use of financial information and actions for addressing fraud
• Financial Modernization Act (Gramm-Leach-Bliley Act - GLBA): Rules that ensure the confidentiality of consumer data

These directives still guide the payment industry today.

Current And Future Best Practices in Online Payment Security

Even with standardization, online payment security continues its evolution. Fraudsters today are more sophisticated—but so are we. The industry leverages several novel technologies that protect consumers both now and in the future:

• Artificial Intelligence (AI) and Machine Learning (ML): Cognitive systems present a critical improvement in our defense strategies. That's because AI can improve upon itself. Adaptive systems can take static rules and develop better changes from the inputted data. Since machines can compute volumes of data at levels far beyond humans, AI tools present a dynamic approach to security. That's why Chargeflow uses AI-powered tools, such as predictive analytics, tailored risk models, and rapid dispute resolution.
• Blockchain and Distributed Ledger Technology (DLT): Blockchain technology offers decentralized and irreversible transactions. And since public consensus determines validity, it limits the risk and exposure of intermediaries. That makes blockchain a robust form of security (and there are many possible use cases for the tech in the payment industry).
• FIDO2 authenticators: Public key cryptography (and the future of quantum cryptography) offers passwordless forms of authentication. This is yet again another improvement on old login security.
• Behavioral biometrics: Behavioral biometrics uses the most unique aspects of a user: their character. Emotions, facial movements, typing speed, and navigation habits are all measures. These factors offer improved verification.  
• Dynamic fraud solutions: Offense is better than defense. Which is why fraud solutions now focus on proactive prevention tactics. Things like real-time monitoring, velocity checks, and threat intelligence are all excellent examples. Since such tools are so effective, Chargeflow leverages AI to prevent chargebacks and fraud before any issues occur. We flag suspicious activity on risk scores that trigger fraud alerts. Anticipating the actions of criminals drastically improves security outcomes.  

Conclusion

The history of payment security is a testament to the industry's adaptability. We have come a long way. Initially driven by the needs of early eCommerce platforms, we now operate advanced defense tools to protect our global marketplace.

Still, the task of security continues. We need innovative measures that can match the evolving attacks of fraudsters. And that's why chargeflow continues to adapt in step. We know the importance of customer trust, so we use the most capable tools (AI, machine learning, etc) to stay ahead of the fraud economy.

Want to know how Chargeflow can protect you and your customers? Set up a demo today. ‍