Payment Methods and Security in E-Commerce
Every online purchase ends with the same decisive moment: the transfer of money – Payment Methods and Security in E-Commerce. The checkout is where commercial intent becomes revenue, and it is also the single point at which a customer is asked to trust a merchant with sensitive financial data. For this reason payment has evolved from a back-office afterthought into a strategic discipline that sits at the intersection of conversion, regulation, and security.
AUTHOR: Francesca Valeri
The history of the field is short but dense. The first secure retail transaction over the web, the 1994 sale of a Sting compact disc through NetMarket, was protected by data-encryption software that transmitted the buyer’s card number safely, a full year before the Secure Sockets Layer protocol became widely available in Netscape’s browser. That single encrypted transfer established the principle that still governs the industry: commerce online is only possible where the customer believes the payment is safe.
[Source] M. Pawlowski, Data Analytics for E-Commerce (lecture materials, UMCS, 2026); CNET, “E-commerce turns 10.”
Three decades later, electronic payments in the European Union reached roughly 240 trillion euro in annual value, up from 184 trillion euro in 2017, a scale that has drawn both fierce competition among providers and a comprehensive regulatory response. This report examines the methods consumers use to pay, the European rules that govern those methods, the technologies that secure them, the fraud that targets them, the particular character of the Polish market, and the role that data analytics now plays in defending the payment system.
[Source] European Commission, Payment Services Regulation proposal, COM(2023)367, citing ECB payment value statistics.
What are the most common payment methods in e-commerce?
The European checkout is no longer dominated by a single instrument. Payment preference now varies sharply by country, by basket size, and by device, and a merchant that offers the wrong mix loses customers at the final step. The principal methods can be grouped into six families.
Cards
Credit and debit cards from Visa and Mastercard remain the most widely accepted instrument and still carry the largest single share of European transaction value. Their strength is universality and consumer protection through chargeback rights; their weakness is exposure to card-not-present fraud, which the security measures described in Section 4 are designed to contain.
Digital wallets
Wallets such as PayPal, Apple Pay, and Google Pay now rival cards in many markets. PayPal, founded in 1998 as Confinity, pioneered consumer digital payments and processed close to 40 percent of all eBay transactions at its peak; it has since added cryptocurrency checkout (2021) and its own dollar stablecoin, PayPal USD (2023). Wallets win on speed and on the fact that card data is stored once and tokenized, removing it from the merchant’s reach.
[Source] Britannica, “PayPal”; M. Pawlowski, Data Analytics for E-Commerce (UMCS, 2026).
What is the role of payment gateways in e-commerce?
Account-to-account and open banking
Real-time bank transfers, including Poland’s BLIK and the broader category of open-banking payments, move money directly between accounts without a card network in the middle. They are cheap for merchants and increasingly instant for consumers, and the EU’s Instant Payments Regulation (Section 3) is accelerating their growth across the continent.
What are Buy Now Pay Later (BNPL) services?
Deferred-payment products from providers such as Klarna and, in Poland, PayPo, let customers split a purchase into instalments. They lift conversion and average order value but have attracted regulatory attention over consumer indebtedness and disclosure.
Cryptocurrency
Crypto payments remain a small share of European e-commerce. Stripe’s early support for Bitcoin in 2015 illustrated the operational challenge: unlike a card, a Bitcoin payment is initiated by the customer and can take roughly an hour to finalise, which forced a redesign of the settlement flow around webhooks and pending states.
[Source] Stripe, “Online payment API design”; M. Pawlowski, Data Analytics for E-Commerce (UMCS, 2026).
Cash on delivery and other methods
Cash on delivery, vouchers, and prepaid instruments persist in certain markets and demographics, particularly where trust in online payment is still developing.
[Source] Statista, European e-commerce payment data (2025); ECDB, Payment Methods in Europe report.
What is tokenization in payment security?
The EU regulatory landscape
European payments are among the most heavily regulated activities in the digital economy, and the framework is in the middle of a generational change. Four instruments matter most for e-commerce.
PSD2 and Strong Customer Authentication
The Second Payment Services Directive, in force since 2018, introduced Strong Customer Authentication, the requirement that electronic payments be confirmed using at least two independent factors drawn from knowledge (a password), possession (a phone), and inherence (a biometric). PSD2 also opened bank infrastructure to licensed third parties, creating the open-banking market.
PSD3 and the Payment Services Regulation
On 27 November 2025 the European Parliament and the Council reached provisional political agreement on the Third Payment Services Directive (PSD3) and the accompanying Payment Services Regulation (PSR), with final publication expected in the first half of 2026. The package tightens authentication, harmonises rules across member states, and introduces a significant shift in liability: a payment service provider that fails to implement appropriate fraud-prevention mechanisms can be held liable for covering a customer’s losses, and large online platforms may share liability where they fail to act on known fraud.
[Source] Norton Rose Fulbright, “PSD3 and PSR: from provisional agreement to 2026 readiness” (2026); European Parliament, Legislative Train Schedule (March 2026).
The Instant Payments Regulation and Verification of Payee
The Instant Payments Regulation (IPR) entered into force on 8 April 2024 and requires that euro credit transfers settle within ten seconds, around the clock. Its most visible consumer protection is Verification of Payee (VoP), a mandatory check that compares the payee’s name against the IBAN before a transfer is authorised and returns one of four results: match, close match, no match, or other. VoP became mandatory for euro-area providers on 9 October 2025, with providers outside the euro area required to comply by 9 July 2027. Industry estimates suggest the measure could prevent on the order of 2.4 billion euro in fraud each year.
[Source] European Central Bank, Instant Payments Regulation overview; European Payments Council, Verification of Payee Scheme Rulebook (2025); Finextra, “Europe’s Instant Payments Regulation and the 9 October deadline” (2025).
The EUDI Wallet mandate
Under the revised eIDAS framework, every member state must make at least one certified European Digital Identity (EUDI) Wallet available to citizens by November 2026. The wallet will allow the secure storage of identity and payment credentials, and in Poland it is expected to build on the existing mObywatel application. For e-commerce, the EUDI Wallet promises a future in which a customer can prove identity and authorise payment from a single, state-backed credential.
[Source] M. Pawlowski, Data Analytics for E-Commerce (UMCS, 2026), “Payment security in Poland.”
Payment security: the layered defence
No single control secures an online payment. Modern systems rely on several overlapping layers, each addressing a different point of weakness, so that the failure of one does not expose the customer.
Transport encryption: SSL and TLS
The foundation is encryption of the connection itself. Transport Layer Security (TLS), the successor to the Secure Sockets Layer that made web commerce possible in 1995, encrypts data as it travels between the customer’s browser and the merchant’s server, so that an eavesdropper cannot read card details in transit.
Tokenization
Tokenization replaces sensitive card data with a unique reference, a token, that is useless if intercepted. Stripe built its platform on this idea: card details are sent directly to the processor and the merchant receives only a token that points to data held in a secure vault, which means the merchant never stores the real card number and avoids the most demanding parts of PCI DSS compliance. Network tokenization in services such as Visa Mobile and Click to Pay extends the same protection across the card networks.
[Source] Stripe, “The token and the charge”; M. Pawlowski, Data Analytics for E-Commerce (UMCS, 2026).
The CVV and two-factor authentication
The card verification value (CVV), the short code printed on the card, proves that a buyer physically holds the card and is never stored after authorisation. Two-factor authentication, the practical form of PSD2 Strong Customer Authentication, adds a second proof of identity such as a one-time SMS code or an in-app biometric confirmation, so that a stolen password alone cannot complete a purchase.
3D Secure 2.0
3D Secure 2.0 is the protocol that ties these elements together at the card checkout. Rather than challenging every customer, it shares up to 150 data elements about the device and transaction with the card issuer, which scores the risk and decides whether to approve the payment silently (the frictionless flow, used for the large majority of transactions) or to request a step-up challenge. When authentication completes, liability for fraud shifts from the merchant to the issuer. Figure 2 sets out the full flow.
[Source] EMVCo, 3-D Secure 2.0 specification; Visa and Mastercard authentication guides.
Fraud typology
The controls of Section 4 exist because online payment has been a target for fraud since its earliest days. As early as 2004 a Gartner survey found that at least 30 million Americans had been targeted by phishing, with phishing alone costing card companies and banks more than 1.2 billion dollars in a single year. The threats have grown more organised since, but they still fall into recognisable categories.
[Source] Gartner phishing survey, reported in M. Pawlowski, Data Analytics for E-Commerce (UMCS, 2026).
The main categories
- Card-not-present (CNP) fraud. The dominant category in e-commerce: stolen card details are used to make purchases where the card need not be physically presented. 3D Secure and tokenization are the primary defences.
- Phishing and social engineering. Fraudulent messages impersonate a trusted brand to trick a customer into revealing credentials or authorising a payment. The weakness exploited is human, not technical.
- Account takeover. An attacker gains control of a legitimate customer account, often using credentials leaked from another breach, and then transacts as the genuine user.
- Identity theft and new-account fraud. Stolen personal data is used to open accounts or obtain credit in a victim’s name, a risk that the EUDI Wallet and stronger identity verification aim to reduce.
- Friendly fraud and chargeback abuse. A genuine customer disputes a legitimate charge to obtain a refund while keeping the goods, shifting cost onto the merchant.
Figure 3. Approximate distribution of reported e-commerce fraud cases by type. Card-not-present fraud and social-engineering attacks together account for the majority of incidents.
[Source] Visa and Mastercard fraud reports (2024 to 2025); European Central Bank, Report on card fraud.
The Polish context
Poland is one of Europe’s most distinctive payment markets, shaped by a domestic mobile scheme that most consumers prefer over cards and by a strong tradition of state-backed digital identity.
BLIK and the leading providers
BLIK is the national mobile payment system and the market leader. It works through single-use, six-digit codes that are valid for two minutes and require the customer to approve each transaction inside the banking app, which combines convenience with built-in two-factor security. Around BLIK sits a mature ecosystem of gateways: Przelewy24 (part of the Nexi Group), PayU with its one-click and instalment options, Tpay, and Polish ePayments in the in-store terminal segment.
[Source] M. Pawlowski, Data Analytics for E-Commerce (UMCS, 2026), “Payment security in Poland.”
Security standards in practice
Table 1. Selected payment-security measures applied in the Polish market.
| Measure | What it does |
| Strong Customer Authentication | Two-factor confirmation of online payments, for example a password plus an SMS code or in-app biometric. |
| Tokenization | Replaces card data with single-use tokens in services such as Visa Mobile and Click to Pay, reducing the risk of data leakage. |
| PCI DSS | Card-data security standard; Tpay is certified to PCI DSS v4.0.1 and PayU is audited annually as an ISO Level 1 provider. |
| DDoS protection | Polish payment infrastructure, including BLIK, is continuously monitored and hardened against overload attacks. |
[Source] M. Pawlowski, Data Analytics for E-Commerce (UMCS, 2026); NBP, payment-system reports.
mObywatel, the EUDI Wallet, and Verification of Payee
Poland’s mObywatel application already gives citizens a trusted digital identity, and it is the natural foundation for the certified EUDI Wallet that the country must provide by November 2026. In parallel, Polish banks and payment institutions implement Verification of Payee under the Instant Payments Regulation, checking the IBAN against the recipient’s details before a transfer is executed. Together these measures position Poland to combine a popular domestic payment method with continent-wide identity and anti-fraud infrastructure.
[Source] M. Pawlowski, Data Analytics for E-Commerce (UMCS, 2026); European Payments Council, VoP Scheme (2025).
Data analytics applied to payment security
Because fraud adapts faster than any fixed rule, the defence of the payment system has become a data problem. The same analytical methods used elsewhere in e-commerce, applied here to transaction streams, allow providers to separate legitimate behaviour from attack in real time.
Anomaly detection
Each customer and merchant generates a behavioural baseline: typical purchase amounts, times, locations, and devices. Anomaly-detection models flag transactions that deviate sharply from that baseline, for example a high-value purchase from a new device in an unfamiliar country, so that they can be challenged or held for review.
Transaction scoring
Rather than a simple approve-or-decline decision, modern systems assign each transaction a risk score derived from many signals at once. This score feeds directly into the 3D Secure 2.0 decision: low-risk transactions pass through the frictionless flow, while high-risk ones trigger a step-up challenge, which keeps friction low for the honest majority while concentrating scrutiny where it is needed.
Machine-learning fraud models
Supervised machine-learning models learn from labelled histories of genuine and fraudulent transactions to recognise the subtle patterns that characterise emerging fraud. Their value lies in adaptation: as fraudsters change tactics, the models are retrained on fresh data and continue to detect what static rules would miss. The forthcoming PSR strengthens this approach by allowing payment providers to share fraud-related information among themselves, enlarging the data on which detection models can be trained.
[Source] European Banking Authority, guidance on fraud detection; Norton Rose Fulbright, PSD3 and PSR briefing (2026).
Conclusion and future outlook
Payment in e-commerce has matured from a single encrypted card transfer in 1994 into a layered system in which method, regulation, technology, and analytics reinforce one another. The customer who chooses BLIK, a wallet, or a card at checkout is relying, often unknowingly, on transport encryption, tokenization, strong authentication, risk-based 3D Secure, and a machine-learning model scoring the transaction in milliseconds.
The near future is unusually well defined. The Instant Payments Regulation has already made Verification of Payee mandatory across the euro area, PSD3 and the Payment Services Regulation will reshape liability and authentication once published in 2026, and the EUDI Wallet mandate arrives in November 2026 to give every European a state-backed digital identity. The clear direction of travel is toward payments that are faster and frictionless for honest customers, yet harder for fraudsters, with the balance held by data analytics.
For merchants the strategic lesson is consistent: security and conversion are not opposites. The same risk scoring that blocks a fraudulent transaction also waves a genuine customer through without a challenge. Treating payment security as a data-driven discipline, rather than a compliance burden, is what allows an e-commerce business to be both safe and easy to buy from.
What are the most common payment methods in e-commerce?
The most common payment methods in e-commerce include credit and debit cards, digital wallets (such as PayPal, Apple Pay, and Google Pay), bank transfers, Buy Now Pay Later (BNPL) services, and sometimes cryptocurrencies. Their availability depends on region, customer preferences, and regulatory environment.
What are the biggest security risks in e-commerce payments?
The main risks include phishing attacks, data breaches, identity theft, card-not-present fraud, account takeover, and malware. Weak encryption, poor authentication, and insecure APIs can increase vulnerability.
How do e-commerce platforms secure payments?
E-commerce platforms use multiple technologies such as SSL/TLS encryption, tokenization, two-factor authentication (2FA), secure payment gateways, and fraud detection systems powered by AI. These measures ensure that sensitive data is protected during transactions.
What is PCI DSS and why does it matter?
PCI DSS (Payment Card Industry Data Security Standard) is a global security standard designed to protect cardholder data. Compliance is mandatory for businesses handling card payments, helping to reduce fraud and ensure secure transactions.
What is tokenization in payment security?
Tokenization replaces sensitive payment data (like card numbers) with a unique, non-sensitive token. This means even if the data is intercepted, it cannot be used by attackers.
Are digital wallets safer than credit cards?
Digital wallets are generally considered safer because they use encryption, tokenization, and biometric authentication (such as fingerprint or facial recognition). They also reduce the need to share actual card details with merchants.
What is two-factor authentication (2FA) in payments?
Two-factor authentication adds an extra layer of security by requiring users to verify their identity using two methods, such as a password and a one-time code sent to their phone.
What are Buy Now Pay Later (BNPL) services?
BNPL allows customers to split payments into installments, often without interest. While convenient, these services require proper risk management and security measures to prevent fraud and over-indebtedness.
REFERENCES
[1] [Source] Pawlowski, M. Data Analytics for E-Commerce, lecture materials, UMCS Faculty of Economics, 2026.
[2] [Source] European Central Bank. Instant Payments Regulation and Verification of Payee, ecb.europa.eu, 2024 to 2025.
[3] [Source] European Payments Council. Verification of Payee Scheme Rulebook, 2025.
[4] [Source] European Commission. Proposal for a Payment Services Regulation, COM(2023)367, 2023.
[5] [Source] Norton Rose Fulbright. PSD3 and PSR: From Provisional Agreement to 2026 Readiness, 2026.
[6] [Source] Finextra. Europe’s Instant Payments Regulation and the 9 October Deadline, Explained, 2025.
[7] [Source] Statista. European E-Commerce Payment Methods, 2025.
[8] [Source] ECDB. Payment Methods in European E-Commerce, 2025.
[9] [Source] Stripe. Online Payment API Design, stripe.com/blog, 2017.
[10] [Source] Britannica. PayPal, britannica.com/money, 2026.
[11] [Source] Visa and Mastercard. Fraud and Authentication Reports, 2024 to 2025.
[12] [Source] Narodowy Bank Polski. Payment System Reports, nbp.pl, 2025.
