Best practices for securing the payment data of your customers and your e-commerce site
.jpg)
In 2024, the cybersecurity landscape darkened: personal data breaches reported to the CNIL jumped by more than 20%
This figure reveals the extent of current digital vulnerability. Cyber attacks are in the news every day. Even in May 2025, a global data leak exposed more than 2.3 million bank cards. It follows the leaks of millions of customers of French retailers in the fields of luxury, telephony, banking, e-commerce and administrations. Personal and banking information is then found on the dark web where they are then used to trick individuals in order to usurp their identity, embezzle their funds...
For e-retailers, this reality is all the more critical as they handle sensitive payment data on a daily basis. Samuel Delplace, Head of Infrastructure & Security, identified the main attack vector: the vulnerability of accounts and passwords.
Over the past two years, the majority of intrusions have come from compromised accounts because their password was too weak or reused on several sites, both in professional and personal environments. Email/password combinations are stolen and stolen among hacker communities. All it takes is a leak for these identifiers to be massively tested elsewhere, until you find the site or subcontractors of a major retailer where they will make it possible to extract data en masse.
Faced with this reality, how can e-retailers strengthen their security while maintaining the user experience?
This article shows you the levers to be implemented, inspired by regulatory requirements and operational best practices.
The principle of defense: as with protecting a house, the more difficult you make it to access, the more the attacker will favor an easier target. If each web player reinforces their security requirements, we collectively create a deterrent effect.
It is a function that allows users to register and connect via their Facebook, Google or Apple ID account... and makes it possible to avoid having a password linked to the site, while benefiting from a relatively fast connection.
This approach has the advantage of delegating authentication to platforms that are already secure, reducing the risk of phishing and preventing your customers from remembering yet another password.
Whether it's for creating and renewing passwords, you can follow the recommendations From ANSSI :
This may seem obvious, but did you know that in France the most used passwords remain “123456", “123456789" and “azerty”?
TEATwo-Factor Authentication remains the most effective method of countering compromised account attacks today. Even if the attacker has the right credentials, they won't be able to access the account without the second factor (usually the user's smartphone).
Recommended options:
Act preventively with your customers by detecting compromised passwords. Then alert them as soon as possible and recommend that they change their password.
You can use technological and secure solutions such as ReachFive to ensure this continuous protective watch.
The Payment Card Industry Data Security Standard is the international reference for all professionals involved in the entry, transfer, processing and storage of card payment data. The purpose of this standard is to ensure the highest level of security and to protect user card data.
A fundamental recommendation applies to e-commerce sites: never store payment data. Never. Ever.
It is your responsibility to ensure that data is captured, transferred, processed, and stored in a secure and certified compliant environment. To do this, the most appropriate strategy is to entrust them to a payment service provider (PSP or payment orchestrator) certified PCI-DSS level 1. You can also simply implement a certified environment, but the work will be particularly arduous and expensive.
As a merchant, you must be able to prove to your acquiring bank that you meet the requirements (the level of requirement depends on the volume of transactions processed).
As the CIO of an e-commerce site, you generally need to:
Failure to meet PCI-DSS requirements exposes your business to:
To find out more about the standard and the security requirements expected according to your profile, you can consult the Official site.
Choosing a trusted technology partner like Purse will ensure you check all the boxes.
Your teams, subcontractors and systems are prime targets for hackers.
Internal teams are often the weakest link exploited by cybercriminals. For them it is a way to enter a system that is very rich in user data.
Unlike customers, the challenge here goes beyond the user experience: It's about protecting your system, your turnover, and your reputation.
Setting up a strong authentication system for employees is, from our point of view, essential and a good practice that we strongly recommend. It must be generalized on your own tools as well as to access the systems of your subcontractors.
Users in your organization who log into the Purse merchant admin portal are required to authenticate with an MFA system to ensure secure access to your data.
The advice seems obvious but in practice, it is not implemented as often as it should be. The fewer opportunities we give cyber hackers to enter, the more difficult we make it difficult for them to access and in the end, the less risks there are.
A regular audit of your system to identify anything that is potentially open will allow you to set up a policy adapted to each network flow:
Set up a structured process:
We recommend having your cybersecurity tested by specialized service providers on a regular basis:
Integrate security into your developments by design:
“Securing customer data, and in particular payment data, can no longer be thought of as a simple regulatory obligation. It is a promise of trust made to users. At ReachFive, we have made this promise a technological pillar: removal of passwords, strong authentication, detailed consent management... All levers that considerably reduce attack surfaces and strengthen the user experience.”
— Jérémy Dallois, Founder and CEO of ReachFive
The security of payment data is mainly based on the choice of a certified provider to whom you delegate this critical responsibility. Your role is to create a secure environment around this delegation.
As a payment orchestrator and security specialist, PURSE is committed daily to ensuring the highest level of security for its customers and their users. We can support you in implementing these best practices and advise you on the tools adapted to your needs.
Do not hesitate to contact us to effectively secure your e-commerce activity while optimizing the experience of your customers.
🔐 Customer safety
🏆 PCI DSS compliance
🛡️ Internal security
Safety score: ___/13
Under 8/13? It's time to improve your security. Purse can assist you in this process.