Skip To The Main Content

What to look out for when you're setting up an online sales process

online payment process

The ability to accept payment on a website is a vital part of the internet sales process, but one that is fraught with danger for small firms. The trick, says Jo Faragher, is to research the options carefully

Did you know that on the ‘dark web’, the secret encrypted network, you can buy any number of individuals’ credit card details, complete with expiry dates and the crucial three numbers on the back, for a matter of dollars? Personal data, even log-ins for services such as Uber and Netflix, can command even more, according to security company Trend Micro. 

Almost eight in 10 FSB members use the internet for selling, while 63 per cent use it to take payments, found a 2015 report by the FSB into digital adoption. So it’s crucial for members to be aware of the risks presented by transacting online – whether that’s theft of credit card details or theft of personal data. 

FSB is pushing the Government to consider making cyber-insurance compulsory and has introduced it as a free benefit for members – see But, whether or not your company has this protection, you need to know how to make the online experience secure for you and your customers. 

The first rule is do not try to take customers’ credit card details yourself, says Sian John, Director of Security Strategy for internet security company Symantec. “If you process the credit card data, you could be liable and it’s unlikely you’ll be meeting the Payment Card Industry Data Security Standard [requirements that a business using card information must follow]. If there’s a breach and you get investigated, you might not be able to transact.” 

Using a payment service provider (PSP), merchant services provider or payment gateway attracts a fee, but it means you pass on that liability to a third party should there be a theft while someone is paying for their goods online.

Choose carefully

Before signing up with a PSP, do your research. The market for these services providers has become increasingly competitive, and prices can vary considerably. You can choose from services offered by your bank, well-known names such as Worldpay – which provides FSB’s card payment processing offer – and PayPal, or a growing number of start-ups in this area. Choose a service provider that meets your needs, not just the one with the most attractive price point. 

Geraldine Grandidier, Chief Executive of FSB London member Tidy Books, which sells children’s bookcases and furniture online, chose a service called Stripe because it was recommended by her web-hosting company. 

“It is used to dealing with Stripe and found it easy to build into our platform. There was no set-up fee and we pay monthly,” she says. 

However, using a third party to process payments does not mean your business is untouchable when it comes to data theft. Security expert Shaab Al-Baghdadi, Head of Channel Development at Blackfoot UK, likens an investment in a PSP service to buying house insurance. “If there is a breach, the first thing they will do is see if you adhered to the terms and conditions,” he says.

“It’s a bit like a home insurance company checking whether you locked your doors or your smoke alarm was working. When you sign up, make sure you can adhere to the terms and give evidence of this.”

Data protection

While card fraud is a real threat – fraud losses resulting from online card transactions totalled more than £260 million in 2015, according to Financial Fraud UK – it’s not the only aspect of trading online where small firms need to protect themselves. If a criminal steals personal data, you could end up facing an investigation by the Information Commissioner’s Office (ICO) or even a hefty fine. 

Under the Data Protection Act, if you hold and process information about clients or suppliers, you are obliged to protect it and to be explicit about what you intend to do with it. From 2018, a European law known as the General Data Protection Regulations is being introduced, applying a potential penalty of 4 per cent of your company’s turnover if you don’t comply. 

So it’s important not to get complacent about the security of your website just because you pay a service provider to process your payments. “As a payment gateway provider, it is our responsibility to build gateways that are secure and based on simple command structures,” says David Midgley, Head of Operations at Total Processing.

“However, ecommerce sites can further minimise the risk of a breach by ensuring their site is built securely and any application program interfaces can’t be easily infiltrated.”

To help ensure criminals can’t enter through the back door, ensure the site is regularly updated and that you or your web-hosting provider undertake regular security patches. 
Cardiff Sports Nutrition, which sells sports supplements online, has doubled up on protection. “We often receive fraudulent orders through our online store, but a combination of a fraud-screening tool and our own risk-management procedure means any successful fraudulent activity is rare,” says Marc Robinson, Managing Director. 

Striking a balance

One challenge of making transactions secure is ensuring customers’ experience of using your site is positive while protecting them from fraud and identity theft. This can be a difficult balancing act, says Ms John from Symantec. “People might not want to register or enter a password just to browse, but they tend to expect it when they purchase,” she says. You could use two-factor authentication, whereby a transaction requires something extra such as a one-off code. But bear in mind whether this adds or detracts from the customer’s ‘journey’ through the site, she adds. 

Some websites allow consumers to log in using their social media accounts such as Google or Facebook, but not everyone trusts these routes because of privacy concerns, so it’s important to offer an alternative. A new option for those looking to have an online presence but without having to maintain a site is FSB Marketplace, a secure online selling portal where members can sell to both members and non-members. Register at

Selling online allows small firms to offer their products and services on a world stage. But offering customers a secure experience is a priority. After all, it may not just be data or money that goes missing; a breach could affect your reputation forever.

Fraud online: what to look out for

Cybercriminals and fraudsters are increasingly focusing their efforts on smaller businesses because they perceive them to be less secure, according to James Frost, UK Chief Marketing Officer for Worldpay, which runs card processing services for FSB members (see for more information).
Its survey found that data breaches increased by 144 per cent for small firms in 2015, with the majority of problems traced back to small businesses hosting their own payment pages. 
“These businesses are leaving themselves vulnerable to cyber-attacks,” says Mr Frost. “Fraudsters are also increasingly keen to exploit so-called ‘cardholder not present’ opportunities online, which typically represent a softer target than in-store transactions.”

Some of the signs of potential online payment fraud include: 
 Shopper fails address verification (AVS), CVV or 3D-Secure checks
 Multiple purchases of the same and/or high value items
 Inconsistencies in purchase data – for example a UK billing address but US card and French IP address
 Multiple declines relating to the same email address, billing/delivery address or cardholder name 
 Unusual foreign card use 
 Delivery address is in a different country from the billing address

Failing to take steps to stop fraud could be costly, warns Mr Frost: “Data breaches could lead to industry fines and clean-up costs, while fraud usually results in chargebacks and the cost of items that have been purchased fraudulently, not to mention the potential impact of an attack on your brand and customer loyalty.”