What is an online payment?

Payments made on the internet by credit card or debit card for goods and services are also known as e-commerce or 'card not present' payments. The customer does not need to be physically in store to make the payment. They enter the card details into an online system to complete the transaction.

What are the recommended ways to accept online payments?

Use a gateway hosted page for your website

A payment gateway provider can set up a gateway hosted e-commerce page that integrates with your website. This means when the cardholder makes a payment, they are redirected from your website to a secure payment page hosted by the gateway. The cardholder can then submit their card details on the page and once payment is complete, they are redirected back to your site.

It's important to start working with us early on when you’re setting up your payments page so that we can understand your requirements and make sure you're meeting your Payment Card Industry Data Security Standard (PCI DSS) compliance obligations. Westpac does not permit the use of merchant hosted payment pages.

Westpac supports most major gateway providers including:

Use Online EFTPOS to accept payments made by smartphone

Online EFTPOS is a service provided by Worldline that enables your customers to pay online with their smart phone. Customers enter their mobile number and select their bank on your payments page, then they approve a payment notification within their mobile banking app. Your customers never need to expose their payment or banking credentials.

You can find out more about Online EFTPOS and how to set it up for your business here.

Use batch processing to process multiple online card payments at once

Batch credit or debit card processing allows you to process very large volumes of credit or debit card payments (a batch) at once. This facility can used to process different amounts or recurring payments of the same amount.

You can upload a batch of payments directly into a PCI DSS compliant payment gateway provider which removes the need to manually transmit and store volumes of credit card information.

Tips to keep your e-commerce payment facility secure.

Take the following steps to help protect your e-commerce payment facility and reduce the risks of an account data compromise.

What to do

When to do it

Who is responsible?

Use a 'gateway hosted' solution

At set up

Merchant / e-commerce solution provider

Only use PCI DSS compliant third-party service providers

At set up

Merchant / e-commerce solution provider

Don't store any card information such as the cardholder PIN or card verification code (3 digits on the back of the card)

Daily

Merchant

Change default password to system, application and devices

At set up

Merchant

Change default admin panel URL. Fraudsters search for websites with default settings because they can be easier to compromise

At set up

Merchant / e-commerce solution provider

Install web application firewall. Properly configured firewalls help protect your card data environment by allowing your business to set rules and criteria that restrict incoming and outgoing network traffic

At set up

Merchant / e-commerce solution provider

Install anti-virus and intrusion detection tools. The best way to keep anti-virus software up to date is to use a reputable, subscription-based programme

At set up

Merchant / e-commerce solution provider

Develop a monitoring procedure and action plan. Ensure controls are in place to identify who has accessed the payment gateway portal and create a plan if you detect unauthorised access

Regularly

Merchant / e-commerce solution provider

Conduct an external vulnerability scan of your website

Quarterly

Merchant / e-commerce solution provider

Ensure your website is patched and upgraded with the latest software, application and security controls*.

When notified that a patch or upgrade is available or within a month of release

Merchant / e-commerce solution provider

Create a unique user ID and password for each staff member that has access to your system

At set up

Merchant

Establish a complex password policy**. If a user has attempted to log in unsuccessfully more than six times, lock their account and reset password after 30 minutes. This will give you time to investigate whether they are an authorised user

Passwords should be changed every 90 days

Merchant

Implement multi-factor authentication (MFA). This means users who log into your system must provide at least two pieces of evidence to prove their identity for example by entering their password and an automatically generated code that is sent to their phone

At set up

Merchant / e-commerce solution provider

Develop an Incident Response Plan

Annually

Merchant

Establish staff security awareness training

At the start of employment, and annually thereafter

Merchant

Monitor your provider's status of compliance. You can check any service provider’s compliance status by asking for their Certificate of Compliance (COC). This will provide the validation date and expiry date of their PCI DSS compliance

Annually

Merchant

Conduct staff background check

At the start of employment

Merchant

*Patches are e-commerce platform updates that address security vulnerabilities within a program or product. Software vendors typically release updates to fix performance bugs and provide enhanced security features

**For example passwords must be seven characters in length and contain a capital and lower-case letter, number and symbol.

Help prevent card fraud.

Enable 3DSecure. This is a way to help reduce fraudulent transactions by verifying your cardholder. 3DSecure is a protocol designed to be an additional security layer for online credit and debit card transactions. To complete a transaction using a credit or debit card, a cardholder must provide additional proof of identity such as a password or other information known by the cardholder. The bank who issued the cardholder's card controls what details are needed to verify the cardholder.

What's the difference between an account data compromise (ADC) and card fraud?

An ADC is when an unauthorised person gains access to your business environment or payment facility to steal valuable information (like card payment data) with the intention to commit fraud. Card fraud is when stolen card payment data is used to make a fraudulent transaction.

Get help.

New customers

Call the Westpac Merchant Onboarding team on 0800 888 066, option 3 weekdays between 8:30am - 5pm.

0800 888 066

Existing customers

Contact your Westpac Relationship Manager or Merchant Assist on 0800 888 066, option 4 weekdays between 8:30am - 5pm.

0800 888 066

Things you should know.

The information on this page is intended as a guide only. We make no warranty or representation, express or implied, regarding the accuracy of any information, statement or advice contained on this page. We recommend you seek independent advice before acting or relying on any of the information on this page. All opinions, statements and analysis expressed are based on information current at the time of writing from sources which Westpac believes to be authentic and reliable. Westpac issues no invitation to anyone to rely on this material.

Mastercard® is a registered trade mark and the circles design is a trade mark of Mastercard International Incorporated.

Links to other sites are provided for convenience only and Westpac accepts no responsibility for the availability or content of such websites.