Security recommendations for processing payments

Updated on 20-October-2016 at 10:16 AM

Business Catalyst End of life announcement - find out more details.

When collecting online payments on your site it is always recommended to take the measures below in order to ensure your customers' payments are processed securely.

Only use secure URL for pages used to collect online payments 

It is highly recommended that all links to the page that contain the form which is collecting online payments use secure (https://) URLs.

You can find the secure URL of your site by selecting Site Settings > Site Domains. Take a look at the Working with secure URLs article for more info around encryption and how to use the secure URL of your site.

Make sure the action attribute of the form uses secure URL

When using a form that processes online payments, always make sure that action attribute uses the secure protocol and secure URL.

To inspect the attribute of the form switch to the HTML view of the page the form is inserted into.


Disable autocomplete for payment forms

We also recommend disabling the autocomplete feature for the fields of the forms you are to collecting payments with.

Here is more information about how to disable autocomplete .

Enforce Minimum Amount 

If your form allows visitors to enter the amount to be paid, it is recommended that you set a minimum payment amount on the form.

This method is used to avoid any security issues around spammers trying to make repeated 0.01 payments in order to find valid credit cards numbers through your form.

You will need to create a web form with the Credit Card Processing field. 

Supplying Datacenter IP Addresses

Depending on the payment gateway you may need to supply them with any if the following IP Addresses depending on the data centre your site is hosted on:

  • Australian data centre
  • United States data centre
  • - European data centre

For more information please follow the tutorial for each payment gateway

Enabling Auto Return URL for non-seamless PGs

For non-seamless gateways the auto-return URL needs to be supplied on the payment gateway account side. 

In the Return URL field, enter your site's secure address followed by /PaymentProcess.aspx. For example, the return URL for PayPal Standard gateway should be

Do note that /PaymentProcess.aspx can be different from a payment gateway to another.

For more information please follow the tutorial for each payment gateway .