The Ultimate Online Payment Security Checklist

Rob Chenault

With a growing number of customers opting for online payments, demand for digital payment channels is at an all-time high. According to a recent Invoice Cloud survey, online channels are the preferred method for making payments, with 43% of survey respondents preferring an online portal for payments and 34% of respondents preferring a mobile device for payments.

Providing these digital payment options is pivotal if you hope to keep pace with customer expectations – and driving payers to online channels only serves to benefit your organization. Encouraging online payment adoption is hugely important for saving organizational time and resources, accelerating collections, and increasing customer satisfaction.

But, despite the growing preference for online payments, there are still plenty of customers who would rather make payments offline (i.e. mailing a check, paying over the phone, etc.). While it’s important to assure that those offline payment channels are fully optimized for those users, it’s equally as critical for your organization to convince those reluctant customers to make the switch to online channels.

In our research report, The State of Online Payments, we explored why some payers are hesitant to use online payment channels. For some, sending in a monthly check or making an in-person payment is simply a preference or a habit – but others had serious concerns.

Thirty-two percent of respondents who prefer offline channels cited security concerns as their main reason for rejecting online payments. Specifically, “the security of their payment information.”

Since digital security concerns are a major barrier to e-payment adoption, it’s important to understand the issue and evaluate how your online payment platform works to address these customer fears.

Don’t ignore online payment compliance

Clearly, customers have data security concerns – understandable, considering the sensitive nature of payment information. But not only can those concerns interfere with your organization’s online payment adoption, lapses in security could also bring to light compliance issues that need to be addressed internally.

Compliance regulations can change frequently, depending on your industry, so your electronic bill presentment and payment (EBPP) solution must be able to keep pace with evolving security requirements. If it cannot, your organization could potentially be vulnerable to data breaches and the legal ramifications that follow.

Fortunately, there are EBPP providers that have prioritized data security in their product and offer organizations like yours fully secure solutions.

The Online Payments Security Checklist

To ensure that your customer data is secure and that your organization is up to date with compliance regulations, you’ll want to keep a few things in mind when choosing an EBPP provider:

SaaS model

The Software as a Service (SaaS) model is the ideal software solution for payments, particularly for the compliance aspect of security. True SaaS delivers continuous improvement and requires no maintenance on your part. This guarantees your organization has the latest security patches to remain compliant with industry standards.

Multi-tenant infrastructure

The multi-tenant architecture of SaaS solutions creates a single instance of a software application that serves multiple customers, as opposed to a single tenant model hosted in the cloud. Client data is secured in individually partitioned databases, providing superior performance and maintenance while the entire application is wrapped and monitored in a secure environment.

PCI Level 1 compliance

The Payment Card Industry Data Security Standard (or PCI DSS) is a set of six principles that create the framework for the standard. These include things like “build and maintain a secure network” and “regularly monitor and test networks.” From there, there are 12 requirements for PCI compliance. PCI is made up of six goals around the safety of payment information and includes four levels of PCI compliance. PCI Level 1 service provider indicates the most thorough and comprehensive guidelines and audit requirements for compliance. 

Security assessments and certifications

When choosing an EBPP platform, you’ll want to confirm that your potential software providers follow the applicable requirements set forth in PCI-DSS for security tests, which are typically conducted by an outside testing firm. Make sure any considered providers maintain annual security certifications, like SOC 1 and SOC 2 Type 2, and PCI-DSS Level 1 Service Provider certifications. These verify that the payment platform has implemented effective controls around data security.

Data privacy policies

Don’t be afraid to ask providers questions around their data privacy policies. If they are thorough, the providers should keep (and frequently review) audit logs to maintain checks and balances in security. They should also offer clear language confirming they do not sell customer data to any third parties, with the exception of service providers deemed necessary to fulfill the requested services.


If your current online payment solution doesn’t check the boxes above, it may be time to consider an EBPP provider that has data security top of mind. Not only will you safeguard your organization against compliance liability but enhancing security measures is a necessary step to alleviating payer concerns and driving those worries customers to online payment routes.

For additional insights on payer preferences and concerns, download our research report, The State of Online Payments, below.


Rob Chenault

Related Articles


Webinar Recap: Customers Share Online Bank Direct Experiences

Online Bank Direct (OBD) is InvoiceCloud’s solution to support payments made by customers through their bank. Today you may…

CS Week 2024

Where to Find the InvoiceCloud Team at CS Week 2024

CS Week 2024 is an eagerly anticipated event for the InvoiceCloud team, serving as a cornerstone for advancing utility…

The Long-Reaching Impact of Paperless Adoption

In today’s digital age, the transition to paperless billing and the ongoing effort to drive paperless adoption is not…