Security

Overview

Accepting payments with Straal is safe and secure – both for your business and your customers. Thanks to the highest-class security measures, you can rest assured that your customers' payment data will be fully secure throughout the entire process.

Straal offers a set of solutions limiting fraud risk – automatic control tools and 3-D Secure, an option of securing transactions by a one-off code sent by SMS to the customer from their issuing bank.

In this section you will learn about:

  • PCI DSS
  • 3-D Secure
  • how Straal protects you from fraud

PCI Compliance

PCI DSS is the global data security standard developed by the Payment Card Industry to maximise the protection of cardholder data to reduce credit card fraud. It consists of steps that reflect security best practices. Compliance with PCI requirements is expected from all entities that process, store or transmit cardholder data or sensitive authentication data.

One option, requiring some time and effort, is undergoing PCI compliance certification process by working with a certified PCI Auditor. An alternative is shifting some responsibility over the data to an external entity like Straal. You can do so by using our own Checkout Page or designing a custom payment form with Straal.js.

The minimum compliance requirement is completing a PCI Self-Assessment Questionnaire. It takes less time and preparation than undergoing full certification.

SAQ types required for each integration type
Integration type Required SAQ
Straal Checkout Page SAQ A – the simplest method of PCI validation, 19 pages long questionnaire.
Custom payment form with Straal.js SAQ A-EP – a more stringent self assesment questionnaire. Twice as long as SAQ A.
Mobile SDK SAQ A-EP (if using our SDKs for iOS or Android) – a more stringent self assesment questionnaire. Twice as long as SAQ A.

If you choose to write your own code, you may be subject to more PCI requirements, and SAQ A-EP will not be enough.
Back-end-to-back-end integration SAQ D (over 40 pages long) – the strictest questionnaire, because the customer data passes through your backend.

Read more about types of PCI SAQs in PCI SSC Document Library or read more about PCI Security Standards in general at PCI SSC.

3-D Secure

Add an extra layer to your fraud protection with 3-Domain Secure. It's a tool that will help you verify the payer's identity with the help of the card issuer, such as Visa or MasterCard.

How 3-D Secure works

In the past, 3-D Secure authentication would require an additional security step for the customer, such as a special password. It discouraged customers from making a payment.

This is not the case with the innovative application od 3-D Secure provided by our partners. Straal's application is risk-based, and takes place "behind the scenes" while the payment is processed.

The effects

3-D Secure helps you reduce the risk of fraud. It adds another layer of protection in terms of chargeback liability. That is, in case of a fraudulent transaction, the acquiring bank accepts responsibility for possible extortions, and you don't need to worry about fraud-related chargebacks.

Fraud Protection System

Payment fraud with stolen bank cards or their details pose some of the most serious challenges faced by e‑commerce companies worldwide. Every transaction made by a fraudster causes a return of means to the rightful owner of the bank card (chargeback). Its cost has to be covered, and the losses are covered mostly by the seller.

What to do in case of chargebacks and fraud

Your transactions are being chargebacked, and you would like to minimise the associated expenses? There are a few things you can do:

  • Contact your client to confirm whether their card details have been compromised.
  • Block the customer account until the situation is resolved.
  • Cancel the suspicious subscription.
  • In case of fraud, you could refund the transaction manually. This way, you might avoid a chargeback and the fees associated with it.

Fortunately, there are ways to proactively safeguard yourself against thieves. By deciding to accept payments with Straal, you can choose to receive a set of high‑quality solutions designed to help prevent payment fraud.

Companies operating in certain areas of online commerce are particularly vulnerable to payment fraud. With such entities in mind, Straal – in collaboration with its technological partner, Nethone – offers high‑quality AI‑based anti‑fraud solutions.

Nethone

To help you avoid even the most sophisticated fraud, Straal has partnered with Nethone – the leading global supplier of AI‑based anti‑fraud solutions.

Nethone makes use of a number of advanced user profiling tools and methods as well as bespoke Machine Learning models created individually, per business case.

The system x‑rays each user of your website and assesses in real time and with unprecedented precision whether the user is a rightful cardholder or a fraudster. Thanks to Machine Learning, every analysed user adds to the effectiveness of the system.

This solution works in the background and its presence is not noticeable to your customers.

The Nethone profiler tool is embedded in your website, and analyses current traffic. When it detects a suspicious signal, it sends a notification.

Nethone performs diagnostics on over 5000 metrics in five categories:

  1. Hardware and OS setup (for example: virtual machine used)

  2. Browser intelligence (for example: user-agent spoofing)

  3. Behavioural analysis (for example: keyboard or mouse not used)

  4. Network characteristics (for example: Tor network used)

  5. Anomaly detection (for example: OS and browser language mismatch)

It's possible to extend Nethone's functionality so it also reports various events taking place on the website, such as confirming the email or requesting a password change.

To help you integrate with Nethone, a Nethone customer support engineer will guide you through the process. If you're considering using Nethone, let our Sales Team know.

For Nethone‑specific inquiries, write to Nethone support or check their website.

Security best practices

Do not store payment card details in your system
  • Whenever possible, avoid storing card details.
  • If you need, you can store the expiry date or BIN (the first 6 digits of the card number). However, you should never store the complete card number.
  • You should never store the CVV/CVC.

Following this advice will significantly limit security requirements set out by PCI DSS.

With Straal, card registration takes place in our system, where card details are encrypted. When you charge a card, you use a Straal reference, which acts as a secure token. Read more about tokenization.

Hide error details from the customer.

If a transaction fails, Straal returns an error specifying the reason it failed. It can contain the phrase "dropped by antifraud". It's intended for you, and it's good practice to hide it from the customer, and instead display a generic "Transaction failed" message. Exposing the customer to detailed error messages could give fraudsters useful information.


What you can do next:


Remember you can consult our comprehensive API Reference at any moment.

For help with payments vocabulary, head to our glossary.

You can reach us by e-mail. IT Support: [email protected], Support Team: [email protected].