Foregenix Blog

Jake Dennys

Using a hosted payment page? This is why you still need to secure your website.

10/09/18 11:37

Many companies that host payment pages will boast of their ability to securely process payments. Whilst this may be true, it does not mean that your customers data is secure on your website. If you fail to invest in a competent cybersecurity solution, you’re leaving your customers vulnerable to fraud and your business open to a costly breach.

What is a hosted payment page?

A hosted payment page is a payment page that exists separately to your online environment. Once the customer clicks a ‘Buy now’ button, they’re whisked away to a payment page located on a different website.

It works like this:

  • Customer adds items to their online basket and proceeds to the checkout.
  • When they want to pay, they’re re-directed to the hosted payment page. Their credit card information is entered and submitted on this page.
  • Once complete, a transaction receipt is created.

There are benefits to using a hosted payment page, which will be discussed, but it doesn’t mean overall security should be overlooked.

Why use a hosted payment page?

Utilising a hosted payment page can help a small business save on crucial expenses, as you may know developing and creating your own payment page can be costly and time consuming. To create your own payment page, you need to individually integrate each payment method, currency and sometimes even have the page translated into multiple languages.

Making use of hosted payment page can alleviate some of these concerns, so you can focus on providing the best products for your customers.

They can be easily integrated into your website and setup doesn’t require a great deal of web development. Some services also offer transaction reporting and instant order notification, so that you can keep a firm eye on your business operations.

This may seem like an appealing prospect; not processing the transaction on your page means you don’t have to worry about security, right? Wrong.

Attackers can access customer data even if you use a hosted payment page.

All merchants who process payment card information need to be PCI compliant and using a secure payment page is only one piece in a much larger puzzle.

Customer’s sensitive data both financial and personal, are at risk even if you use a hosted payment page. Once an attacker has access to your environment, they can set up fake payment pages that redirect your customers to their malicious site. These pages often look almost identical to the real thing and without a trained eye, customers probably wouldn’t be able to tell.

Once on the rogue payment page, the unknowing victim enters their data, which is then harvested and sent away to a third party.

Below are some things to look out for the next time you are trying to purchase goods online:

  • URL: Simply check that the URL you have been taken to is correct. If the website informs you that you are going to be redirected off to another website where you will be asked to input card data, check the URL that you are taken to. If it stays the same, then there is likely something suspicious happening behind the scenes.
  • SSL: When redirected to payment pages hosted with Payment Service Providers the SSL certificate should belong to the Payment Service Provider (PSP), not someone else.

There are also steps that you can take as a business owner to ensure your eCommerce website is not sending your customers to a fake payment page and in turn losing their card details:

  • Go through the above-mentioned steps and check them yourself.
  • Perform regular test transactions in order to ensure that the payment process is operating normally. Make sure it goes to the correct pages as defined by the eCommerce site.

We offer a File Integrity Monitoring system packaged with our website security service ‘FGX Web’ – which is essentially an all-in-one solution that bakes security into your website. File Integrity Monitoring systems will detect new files uploaded to the website and any modifications, which could cause the site to serve fake payment pages.

There are many different ways that hackers can break into your website and access your customers cardholder data; SQL Injection, Spyware and phishing attacks just to name a few. Fake payment pages are a small fish in an ocean of malicious activity. You need to stay protected if you want to keep operating as an eCommerce retailer.

If you’re worried about the state of your websites security, try out our external malware scanning tool, it’s free, quick and easy.

 

Externally Scan Your Site For Free Now

TRENDING POSTS

David Kirkpatrick
Penetration Testing: The Quest For Fully UnDetectable Malware

Malware continues to be one of the main attack vectors used by criminals to compromise user and ...

Read More
Kirsty Trainer
"Key" to Secure Data - P2PE - Derived Unique Key Per Transaction (DUKPT)

Written by Andrew McKenna, PCI QSA, PCIP at Foregenix The encryption key infrastructure usually ...

Read More

Cyber Security Insights

Jake Dennys
10/09/18 11:37

Using a hosted payment page? This is why you still need to secure your website.

Many companies that host payment pages will boast of their ability to securely process payments. Whilst this may be true, it does not mean that your ...

Read More

Jake Dennys
22/08/18 13:25

Foregenix to join the PCI SSC Global Executive Assessor Roundtable.

We're proud to consider ourselves one of the industry leaders in the cybersecurity arena, and we are constantly striving to share our knowledge with ...

Read More

Akash Sharma
22/08/18 10:50

FGX-Web gets a fresh new look!

FGX-Web gets a fresh new look! Initially, FGX-Web was created to aid our Forensic Analysts in conducting investigations following a data breach. ...

Read More

Jake Dennys
16/08/18 17:12

What can a Website Security Health Check provide you?

Everyday there's another data compromise. Check the news, big breaches are happening all the time - and that's just the high profile ones. It's the ...

Read More

Kirsty Trainer
15/08/18 14:39

P2PE - What are the benefits to retail merchants?

Point-to-Point-Encryption, known to most as P2PE is a standard that is quickly becoming the preferred way for acquirers and merchants to secure ...

Read More