In 2024, the cybersecurity landscape darkened: personal data breaches reported to the CNIL jumped by more than 20%

This figure reveals the extent of current digital vulnerability. Cyber attacks are in the news every day. Even in May 2025, a global data leak exposed more than 2.3 million bank cards. It follows the leaks of millions of customers of French retailers in the fields of luxury, telephony, banking, e-commerce and administrations. Personal and banking information is then found on the dark web where they are then used to trick individuals in order to usurp their identity, embezzle their funds...

For e-retailers, this reality is all the more critical as they handle sensitive payment data on a daily basis. Samuel Delplace, Head of Infrastructure & Security, identified the main attack vector: the vulnerability of accounts and passwords.
Over the past two years, the majority of intrusions have come from compromised accounts because their password was too weak or reused on several sites, both in professional and personal environments. Email/password combinations are stolen and stolen among hacker communities. All it takes is a leak for these identifiers to be massively tested elsewhere, until you find the site or subcontractors of a major retailer where they will make it possible to extract data en masse.

Faced with this reality, how can e-retailers strengthen their security while maintaining the user experience?  

This article shows you the levers to be implemented, inspired by regulatory requirements and operational best practices.

1) Secure access to your customers' accounts

The principle of defense: as with protecting a house, the more difficult you make it to access, the more the attacker will favor an easier target. If each web player reinforces their security requirements, we collectively create a deterrent effect.

Tip #1: deploy social login

It is a function that allows users to register and connect via their Facebook, Google or Apple ID account... and makes it possible to avoid having a password linked to the site, while benefiting from a relatively fast connection.

This approach has the advantage of delegating authentication to platforms that are already secure, reducing the risk of phishing and preventing your customers from remembering yet another password.

Tip #2: Enforce a strict password policy

Whether it's for creating and renewing passwords, you can follow the recommendations From ANSSI :

1. Minimum length of 12 characters
2. Combination of uppercase, lowercase, numbers, and special characters
3. Renew at least once a year and in case of suspected compromise

This may seem obvious, but did you know that in France the most used passwords remain “123456", “123456789" and “azerty”?

Tip #3: Offer multi-factor authentication (MFA)

TEATwo-Factor Authentication remains the most effective method of countering compromised account attacks today. Even if the attacker has the right credentials, they won't be able to access the account without the second factor (usually the user's smartphone).

Recommended options:

• Smartphone push notification
• Authentication applications (Google Authenticator, Authy)
• Passkeys : The New Generation of Passwordless Authentication

Tip #4: Proactively monitor data breaches

Act preventively with your customers by detecting compromised passwords. Then alert them as soon as possible and recommend that they change their password.

You can use technological and secure solutions such as ReachFive to ensure this continuous protective watch.

2) The rules of the art of the payment profession: PCI-DSS certification

‍Understanding the PCI-DSS standard

The Payment Card Industry Data Security Standard is the international reference for all professionals involved in the entry, transfer, processing and storage of card payment data. The purpose of this standard is to ensure the highest level of security and to protect user card data.

Your Obligations as a Merchant

A fundamental recommendation applies to e-commerce sites: never store payment data. Never. Ever.
It is your responsibility to ensure that data is captured, transferred, processed, and stored in a secure and certified compliant environment. To do this, the most appropriate strategy is to entrust them to a payment service provider (PSP or payment orchestrator) certified PCI-DSS level 1. You can also simply implement a certified environment, but the work will be particularly arduous and expensive.

As a merchant, you must be able to prove to your acquiring bank that you meet the requirements (the level of requirement depends on the volume of transactions processed).

As the CIO of an e-commerce site, you generally need to:

• Verify the PCI DSS certifications of your payment providers annually.
• Ensure that the payment page is managed by the PSP or Orchestrator: either via a payment widget or a redirection page.
• Complete an SAQ self-assessment questionnaire corresponding to your profile.
• Conduct ASV vulnerability scans every quarter.

Risks in the event of non-compliance

Failure to meet PCI-DSS requirements exposes your business to:

• Fines imposed by Visa and Mastercard.
• An questioning of your responsibility in the event of an incident that may lead to a ban on the processing of Visa and Mastercard cards.
• A loss of trust from your customers.

To find out more about the standard and the security requirements expected according to your profile, you can consult the Official site.
Choosing a trusted technology partner like Purse will ensure you check all the boxes.

3) Secure your internal environment

Your teams, subcontractors and systems are prime targets for hackers.
Internal teams are often the weakest link exploited by cybercriminals. For them it is a way to enter a system that is very rich in user data.

Unlike customers, the challenge here goes beyond the user experience: It's about protecting your system, your turnover, and your reputation.

Tip #1: strong authentication for all employees.

Setting up a strong authentication system for employees is, from our point of view, essential and a good practice that we strongly recommend. It must be generalized on your own tools as well as to access the systems of your subcontractors.

Users in your organization who log into the Purse merchant admin portal are required to authenticate with an MFA system to ensure secure access to your data.

Tip #2: Reduce the attack surface

The advice seems obvious but in practice, it is not implemented as often as it should be. The fewer opportunities we give cyber hackers to enter, the more difficult we make it difficult for them to access and in the end, the less risks there are.
A regular audit of your system to identify anything that is potentially open will allow you to set up a policy adapted to each network flow:

• Encrypt all flows using HTTPS.
• Have a least privilege access policy.
• Close unnecessary ports and services.
  

Tip #3: Detect vulnerabilities

Set up a structured process:

• Systematic identification of vulnerabilities.
• Classification by criticality level (low/medium/high/critical).
• Priority correction of critical and high vulnerabilities.
• Regular monitoring and reporting.

Tip #4: Test your safety regularly.

We recommend having your cybersecurity tested by specialized service providers on a regular basis:

• External vulnerability scans every month (qualys-based solution).
• Penetration tests at least once a year or at each major change.

Tip #5: Develop secure applications

Integrate security into your developments by design:

• Continued training for technical teams in secure development.
• Use of vulnerability detection tools in source code, open-source libraries and your containers.
• Integrate these security tests automatically into the deployment process via your CI/CD, such as Github or Gitlab.

Tip #6: Back up and test your backups regularly

• Implement a data backup policy.
• Perform a data recovery test at least once a year.

“Securing customer data, and in particular payment data, can no longer be thought of as a simple regulatory obligation. It is a promise of trust made to users. At ReachFive, we have made this promise a technological pillar: removal of passwords, strong authentication, detailed consent management... All levers that considerably reduce attack surfaces and strengthen the user experience.”

— Jérémy Dallois, Founder and CEO of ReachFive

Conclusion: Delegating to better protect

The security of payment data is mainly based on the choice of a certified provider to whom you delegate this critical responsibility. Your role is to create a secure environment around this delegation.

As a payment orchestrator and security specialist, PURSE is committed daily to ensuring the highest level of security for its customers and their users. We can support you in implementing these best practices and advise you on the tools adapted to your needs.

Do not hesitate to contact us to effectively secure your e-commerce activity while optimizing the experience of your customers.

Checklist: Check your security level

🔐 Customer safety

• Social login proposed (Google, Facebook, Apple) /1
• Strict password policy enforced/1
• MFA available for customer accounts/1
• Active Compromised Password Monitoring/1

🏆 PCI DSS compliance

• PSP certified PCI DSS Level 1 selected /1
• No payment data stored on your servers /1
• Payment page fully managed by the PSP /1
• SAQ completed and compliance certificate up to date /1

🛡️ Internal security

• MFA mandatory for all administrator accesses /1
• Principle of Least Privilege Applied /1
• Scheduled monthly vulnerability scans /1
• Scheduled annual penetration testing/1
• Backups tested regularly /1

Safety score: ___/13

Under 8/13? It's time to improve your security. Purse can assist you in this process.

‍

Sourcing

• The worst passwords used by the French in 2024 — Moderator's Blog
• Cyberattack in France: 2.3 million bank cards hacked — Journal du Geek
• Recommendations on multi-factor authentication and passwords — ANSSI/Cyber.gouv.fr
• ReachFive — Security and Customer Identity Management Solutions