Payment Security

What Works

• Use hosted payment pages (Stripe, Square) — you never touch raw card data
• Enable AVS (address verification) and CVV checks for card-not-present transactions
• Review transaction reports weekly for anomalies — catches fraud before it scales
• 3DS2 (3D Secure) for high-ticket transactions adds friction but stops most fraud

Watch Out For

• PCI compliance isn't a one-time checkbox — it's an annual audit + ongoing SAQ
• Self-hosted checkout forms create PCI scope — hosted iFrames remove it
• Password-reused accounts are the #1 merchant portal compromise vector

Frequently Asked Questions

What is PCI compliance?

PCI DSS is the Payment Card Industry Data Security Standard — a set of requirements for any business that stores, processes, or transmits cardholder data. For most small businesses, using a hosted payment page keeps you in the simplest compliance tier.

Do I need to be PCI compliant?

Yes, if you accept cards. But most small businesses qualify for SAQ-A (the simplest tier) if they use hosted payment pages and never touch card data directly.

How do I protect against payment fraud?

Enable CVV and AVS checks, review your transaction report weekly, use 3D Secure on high-value orders, and keep your processor credentials in a password manager with 2FA.