Payment Gateway Features: How Secure are Payment Links Compared to Escrow for Online Transactions?

Merchants looking to do business online can find themselves spoiled for choice in how they can accept payments. From payment links to digital escrow, online merchants now have access to features such as these, even those without a dedicated website. Historically, escrow arrangements are known to have greater security in the transaction due to how escrow operations are normally conducted via a trusted third party. This is emphasised even further with digital escrow as transactions are conducted online instead of in-person.

This does, however, beg the question: how secure are payment links by comparison?

Technical Similarities Between Payment Links and Escrow on an Online Payment Gateway

Payment links and digital escrow are both fundamentally the same thing: payment processing methods. As such, regardless of what you choose, both payment links and digital escrow platform services have to go through a payment gateway, thus requiring certain cybersecurity measures on hand before the transaction even begins.

These security features are:

SSL Certification

SSL certificates, or secure socket layer certificates, are an encryption-based Internet security protocol that connects the website’s identity to a cryptographic key pair which is made up of a public key and a private key¹. They’re one of the most important components of a safe and trusted environment for online platforms as they create an encrypted connection and establish trust between the business and the customer².

Determining whether a website is SSL-certified is as easy as checking the website’s URL in your browser’s search bar. An SSL-certified website will always have the padlock icon in the search bar and will use the HTTPS protocol instead of the standard HTTP².  This is because the S in HTTPS refers to the Secure part of Hypertext Transfer Protocol Secure, and that only SSL-certified websites use it.

A good example of an online platform that utilises this protocol and is SSL-certified would be the one listed here:
https://Omoney.com/

Not only is HTTPS used in the URL but if you were to click the link and check your browser’s search bar, you will notice the padlock icon there.

If you are looking for an online payment provider and you do not see either the HTTPS or the padlock, there is a significant likelihood that it is fraudulent.

PCI Compliance:

PCI compliance, or Payment Card Industry Data Security Standards (PCI DSS) compliance in full, is essentially the compliance of any given business to a series of specific data security standards pertaining to the use of payment cards³. It is mandatory for all businesses that transact via credit card to abide by these standards to ensure that they have the necessary systems and processes for data breach prevention⁴.

PCI DSS protocols can either be a walk in the park or a chore to comply with depending on the ecommerce technology and backend systems a business has since they have to meet these 12 High-Level Requirements before they are deemed to be PCI compliant⁴:

• Safeguard cardholder data by implementing and maintaining a firewall
• Opting for custom password creation and other unique security measures instead of using the default settings from vendor-supplied systems
• Safeguard stored cardholder data
• Encrypt cardholder data that is transmitted via open public networks
• Implement and actively update anti-virus software
• Create and sustain secure systems and applications
• Cardholder data access must be kept by need-to-know
• Make unique identifiers a requirement for users with digital access to cardholder data
• Restrict physical access to cardholder data
• Log and report network resources and cardholder data access
• Run frequent security systems and processes tests and checks
• Create policies addressing information security throughout the business

3D Secure (Card Payments):

3D Secure is an e-commerce authentication protocol for card payments that is based on a three-domain model, with the domains being the Acquirer Domain, the Issuer Domain, and the Interoperability Domain⁵. It is normally used for both payment authentication and non-payment authentication⁵.

This authentication protocol can be initiated via three different device channels, namely:

• App-based authentication: Authentication during a transaction from a consumer that originates from an application provided by a merchant or digital wallet requesting authentication via 3D Secure Authentication Request⁵. A common example of such a process would be the user authentication request during an e-commerce transaction within a merchant’s app.
• Browser-based authentication: Similar to app-based authentication except the transaction originates from a website that utilises a browser⁵. An example of browser-based authentication would be the OTP code requirement to authenticate the user upon checkout within a merchant’s website.
• 3DS Requester Initiated: Merchants, digital wallets, and others that initiate the 3D Secure Authentication Request protocol within a purchase flow are known as 3DS Requesters⁵. The main purpose of 3DS Requester Initiated authentication is for the verification of an account’s validity or for cardholder authentication⁵. This is usually seen in recurrent transactions such as those found in subscription services to either receive authentication data when performing a transaction for each bill or as part of a non-payment transaction to verify that a user still has a valid form of payment for their subscription⁵.

With how the authentication protocol functions, it is essentially an additional security layer that not only aids with fraud prevention for transactions where the card is not present, but also protects the merchant as it shifts the liability on every successfully verified transaction to the issuing bank⁵.

In short, whenever online consumers purchase something, they need to confirm the transaction via 3D Secure.

These security features listed above may seem daunting and exhaustive but the implementation of these features not only help foster a secure and safe payment environment for your business, but also make it easier for you to determine if a payment gateway is legitimate.

Operational Differences: Payment Flow

One of the biggest differences between payment links and digital escrow platforms is found in their respective payment flow structures. This is due to their core functions whereby one emphasises speed whereas the other focuses on security.

The payment flow for transactions involving payment links first has the buyer pay into the platform where the funds get held until the seller KYB process is complete. Then, those funds get released to the seller within 1-2 business days or sooner depending on whether the seller is a repeat user of the payment platform. This expediency results in a quicker, more streamlined transaction.

Escrow, on the other hand, involves more steps in the process as it requires the digital escrow service to act as a reliable third party intermediary for a transaction. This means that the transaction from escrow itself may take longer to complete since greater emphasis on accountability and transparency on where the money and goods/services goes are present. This also translates into the transaction being much more secure throughout due to this focus on accountability and transparency.

Operational Differences: Dispute Settlement

The way dispute settlements are handled between payment links and digital escrow services also differ due to the way funds are processed by them. With escrows, the buyer can easily see their funds returned to them–after taking the necessary platform fees–once the dispute settlement has taken place.

Payment link disputes however, are not as straightforward for a multitude of reasons. Payment platforms may just link the buyer and seller together for them to resolve it themselves; further escalation may see the payment platform rearranging funds to accommodate for the adjustments resulting from the escalation. Such complications may occur if the payment link does not offer protection in the event of buyer dissatisfaction.

Nonetheless, it is important to note that both payment links and digital escrow carry the risk of chargeback if the buyer funded the transaction via card. Though, escrow service providers tend to have a stronger case to leverage towards the buyer since they’d have a record that the buyer has had to have the escrow agreement. This is further amplified by the fact that almost all transactions conducted via escrow are 3DS enabled.

When Should You Use Payment Links? What Business Use Case Is There For Payment Links?

With everything that has been said thus far, it seems clear that payment links are less secure than escrow. Yet why do payment links still see widespread use?

One of the reasons for this is that both escrow services and payment links do well to aid those without an integrated online checkout or payment gateway to collect transactions on the seller/merchant’s behalf. This is especially true for merchants that have yet to properly transition into the digital landscape or those that are starting out their e-commerce venture.

Another reason is that while there is a clear trade-off in the level of security between the two over a transaction, payment links shouldn’t be written off since the speed offered by payment links mean that payments are processed faster, which can greatly improve a consumer’s checkout experience. They are also a lot simpler and faster to set up as compared to digital escrow services.

Escrow services are safer and more secure by comparison, but they are also slower since escrow transactions typically require off-platform negotiations to take place prior to agreeing on a transaction amount and payment schedule. They may also need some time to make necessary amendments to the agreement as needed too.

Overall, payment links are less secure than escrow services. However, because of their simplicity and speed, you should use payment links for simple low-risk transactions such as selling B2C goods or simple gig work that has little project management required. This may include writing, graphic designing, or video editing.

Now that you know more about the similarities payment links and escrow services have in terms of tech capabilities and their differences in operational security, you are better-equipped to make informed decisions about choosing a payment collection method.

Why not try Omoney? With operations in over 173 countries around the world and with payment solutions suited for marketplaces, SaaS platforms, exporters and importers, and service providers, you can be certain that there is a payment collection method fit for you.

Still not sure? Contact us today!

Sources

1. What Is SSL (Secure Sockets Layer)? | What is an SSL Certificate? | DigiCert
2. What is SSL (Secure Sockets Layer)? | Cloudflare
3. PCI_DSS_Glossary_v3-2.pdf (pcisecuritystandards.org)
4. PCI Compliance: Requirements Explained + PCI DSS Checklist (2022) (bigcommerce.com)
5. Terms of Use - EMVCo