Digital Payment Security Risks and Best Practices

hand phone pay

The use of digital payments has grown in recent years, especially since the outbreak of the COVID-19 pandemic. However, as more shoppers increasingly rely on digital methods to purchase products and services, some malicious actors have spotted an opportunity to exploit online security vulnerabilities and steal sensitive personal information.

While businesses have a significant financial incentive to accept digital payments, it is critical that they understand the main security risks associated with them and put the right protocols in place to mitigate the risk to themselves and customers. This could help them take advantage of digital payments while ensuring the long-term viability of their customer relationships.

Why is digital payment security more important today?

The lockdowns and business closures that resulted from the pandemic caused a substantial increase in the use of digital technologies to complete financial transactions. By the end of 2020, close to 80% of shoppers in the United States were using some form of digital payment, according to McKinsey & CompanySM.

This transition was sudden and widespread, and many companies did not have the requisite cybersecurity protocols in place to protect the reams of consumer data now being exchanged online. In fact, only 40% of small businesses had an adequate cybersecurity policy after the outbreak of the public health crisis, according to the Cyber Readiness InstituteTM.

Many malicious actors concluded that this trend was a highly lucrative opportunity to exploit unprepared online companies and exfiltrate consumer data for financial gain, and that has caused the number of attacks to increase in recent years. Research from AccentureTM found that cyberattacks increased by 31%(PDF, 500KB) between 2020 and 2021.

Are digital payments more secure than offline payments?

Digital payments are typically more secure than offline payments for a variety of practical reasons. First, paying for items using physical cash or cards requires that customers carry those items around with them, possibly exposing themselves to robbery. In such an event, their cash or cards could be lost permanently. This problem is mitigated in cyberspace, where financial transactions typically have long electronic record trails that can track online consumer behavior with precision, making it easier to identify possible fraud or theft.

Similarly, physical transactions require that companies hold onto cash assets on-premises, potentially making their store the target of an attack. With digital payments, funds are immediately and automatically transferred directly to the merchant’s bank account, removing them from on-premises locations and placing them behind an extremely tight security apparatus.

However, there are some unique security challenges associated with digital payments. When consumers make payments online, it is difficult for the merchant to verify their identity due to the faceless, relatively anonymous nature of the transaction. This can make some routine security mechanisms somewhat obsolete, which could make fraud and theft more likely in some cases.

What are some of the most common digital payment risks?

Businesses that accept digital payments face a number of security risks, including:

Third-party risk

Many companies today are relying on third parties to handle critical business functions in order to increase efficiency and reduce costs. This can create layers of additional risk if companies fail to properly vet their third-party vendors prior to establishing a business relationship. Complicating this issue is that many third-party vendors are also outsourcing their own functions to external parties, creating fourth- and fifth-party risk.

When accepting digital payments, companies often work with numerous vendors, including payment processors, point-of-sale system vendors, payment gateway providers and more. Insufficient third-party security controls could cause all of the data shared across these devices and applications to be exposed to risk.

Phishing scams

Phishing is historically one of the tried-and-true methods of data theft, but it continues to be an effective form of hacking in the digital economy. According to research from ProofpointTM, 83% of organizations were subject to a phishing attack(PDF, 500KB) in 2021, a 26% increase from the previous year. When conducting a phishing scam, malicious actors might send seemingly benign communications to unsuspecting users (often in the form of emails) claiming to be a known or otherwise trustworthy source (like a bank, lending institution or university).

The hacker usually asks for sensitive personal information to complete an urgent request, like completing an application for a loan that requires banking details. Once the subject of the attack complies, hackers can use their personal information to access the funds in their credit cards and bank accounts. Both junior staff and senior managers could be subject to phishing scams that expose data and lead to theft.


Malware occurs when users download an app, file or attachment that contains malicious software. Once the malware infects the device, the hacker behind the software has access to all of the information stored in the device. While many companies have firewalls and antivirus software installed on their desktops and laptops, they often skip these security measures on their mobile devices.

An increasing number of businesses are processing payments using a tablet or smartphone as their point-of-sale operating system. The potential storage of such a large volume of cardholder information could make these devices subject to a malware attack, exposing the data of anyone that has made a purchase on that device.

Digital payment security best practices

The increasing use of digital payments makes securing sensitive customer information critical to long-term stability and success in the modern economy. Fortunately, there are several steps businesses can take to strengthen their data privacy protocols and maintain the security of their digital payments. These include:

1. Two-factor authentication

Implementing two-factor authentication adds a simple yet effective layer of security to digital payments through more robust customer identification procedures at the point of sale. Before customers can complete a transaction, they must supply an additional form of digital identification to authenticate their identity. Often, they will receive a unique code in their email or in a text message to their smartphone, which they must supply to complete their transaction.

To avoid adding layers of steps and causing customers to abandon their carts, it is important that your two-factor authentication protocol is frictionless and does not add too much friction to the buying process.

2. Ensure PCI DSS compliance

The Payment Card Industry Data Security Standard (PCI DSS) provides companies with a detailed set of guidelines they can use to enhance the protection of consumer credit card data. There are 12 components required to be PCI DSS compliant, including using secure firewalls, encrypting cardholder data, updating software on a routine basis, and restricting access to systems and devices.

While PCI DSS compliance could add a layer of security to digital payment systems, it also signals to consumers that companies take the privacy and security of their data seriously, which could help to create stronger customer relationships.

3. Train employees on best practices

Hackers often take advantage of unsuspecting employees to gain access to critical systems and devices. You should conduct routine employee training sessions to ensure they are up to date on the latest security best practices. Employees should be trained on good password procedures, identifying possible scams, and reacting in the event of a cybersecurity incident.

4. Tokenize customer card data

Tokenization is a secure method of payment data encryption that converts credit card information into a series of randomly generated numerals. This new sequence of numbers is called a token. The numbers contained in these tokens have no inherent value (beyond the card information they represent), so they can be transferred between different parties involved in the digital transaction process without the risk of being stolen by malicious actors.

Secure digital payments with Comerica Bank

The trend toward digital payments and online shopping is likely to continue increasing in the coming years, representing a substantial opportunity for businesses to expand their operations and reach new customers. However, this also creates additional security risks that business leaders will have to address in order to fully take advantage of this trend. Businesses need to have a comprehensive digital strategy in place to mitigate possible risks and ensure success in this new landscape.

Comerica Bank provides customers with the solutions and expertise needed to accelerate their digital transformation and stay ahead of a changing economy. Contact us today to start a conversation.

This information is provided for general awareness purposes only and is not intended to be relied upon as legal or compliance advice.

This article is provided for informational purposes only. While the information contained within has been compiled from source[s] which are believed to be reliable and accurate, Comerica Bank does not guarantee its accuracy. Consequently, it should not be considered a comprehensive statement on any matter nor be relied upon as such.

Related Content