Newbie Retailer's Guide to E-commerce Security

Published on June 14, 2017
Newbie Retailer's Guide to E-commerce Security

Don’t think security impacts sales? Think again. A secure web environment ensures the protection of customer data, but it also makes for a fast and optimized website that drives conversions. An unsecured web environment will be slow, frequently unresponsive, and even dangerous. Opening your first online store is an exciting milestone, and security should be one of your priorities. It’s important that you take control and ownership of your e-commerce security. Here’s what every newbie retailer needs to know about cybersecurity—take charge and run a more future-proof business today.

Security and customer experience

Would you shop at your local store if you suspected, even for a second, that your card might be swiped for data? We’re guessing not—and all your customers feel the same way about shopping with you. Security for e-commerce is a must-have; you need to constantly reassure shoppers about your security operations—in both subtle and obvious ways. Don’t launch headfirst into running an e-commerce business without appreciating the features of retail security.

  1. Invisible security – The website works fast and returns minimal errors.
  2. Visible security – Overt trust signals like secure payment gateways and guarantees are displayed to the consumer at regular intervals.

Both invisible and visible security help build customer relationships founded on trust. A secure web environment will also improve your customer service track-record – fewer errors and issues will allow for a more slimline operation.

The security risks your need to know

It’s hard to believe that people would actually target your new store, but online hacking is indiscriminate, and any store is immediately vulnerable just by being ‘live.’ So, what sorts of things do you need to protect yourself against? Here are some common security risks:

  1. Denial of Service or Distributed Denial of Service attacks — This is when your site and server are flooded with malicious queries that stop your website from working properly. It basically overwhelms your site, paralyzing it. These attacks can keep your site out of action for a long time and negatively impact sales. These are to be avoided at all costs. Keep your server and site safe; DoS attacks can come from a variety of different sources, including through applications, traffic flooding, and an overwhelming amount of server-side requests.
  2. SQL injections — This is where people attack your web forms or any other query parameters on your site (like dynamics URLs ) to gain access to your database. They can then inject rogue code into your database that can gather your data as well as delete it. (To protect yourself against this, you will want to use parameterised queries — limiting the queries people can request through your site).
  3. XSS attacks — Malicious JavaScript code inserted into your site: this can infect other people who visit your site, too. Hackers often insert this code this via web forms or web fields. (To protect yourself against this, you will want to use parameterised queries, as well as CSP: Content Security Policy).

What does a secure online store look like?

No matter how you choose to sell online, you need to select an e-commerce environment that is secure and frequently updated. The key is your ability to control the shopping environment, as code changes can be deadly.

  1. Popular open-source e-commerce technologies like WordPress and Magento may be slightly more vulnerable to large scale attacks, but that doesn’t mean they should be avoided or that they aren’t secure. (Here is your guide to WordPress site security.) You just need to make sure you install as much security functionality as you can and that your site remains frequently updated.
  2. Third-party plugins and ads open your site to vulnerabilities, so make sure they are secure and updated. Some software like Java and Adobe Flash aren’t very secure. Try to avoid sites that rely too heavily on these.
  3. A hosted web environment like Shopify is a secure option that’s good for beginners as it’s relatively hands-off; take advantage of their 24/7 online store support to quiz them on security option. Afterwards, you may want to install an additional security element.
  4. Third-party marketplaces have varying degrees of security; they are generally good, but big sites like Amazon do tend to become big targets for hackers. Just make sure that you use secure passwords and that you periodically back up and wipe unnecessary data.
  5. Selling through social media is easy for both the consumer and seller, but there are many potential security risks with social media, especially when you’re accepting payments through an application that wasn’t designed to do so.
  6. Your hardware and server safety are super important, too. Don’t skimp on hosting and hardware costs. As your business grows, you are going to need robust systems that allow for that growth.

As well as the security features mentioned above, file integrity monitoring is a good way to keep up with any changes to system files or your web environment. You can set up instant alerts so that you’re always in the know.

Payment and customer data security

One of the biggest e-commerce vulnerabilities is your payment process, and any security breaches involving customer payment data tend to get A LOT of press. Storing people’s payment details is your most important job as an online merchant, so make sure that you are clued up on payment security.

  1. Renew SSL certificates and ensure total PCI compliance. (Tripwire offers PCI compliance 3.2, which is ideal.) The requirements do change, and you need to regularly update certificates, so try to keep on top of this.
  2. If you are using a third party vendor, ensure that you understand how they are dealing with customers’ details. This is still your customers, and they won’t let you off the hook if something goes wrong for them. PayPal is popular with people as it’s easy and offers great protection for buyers, but the system does have its own quirks: they are allowed to freeze assets whilst they investigate transactions, which can be tricky for cash flow.
  3. Prominently display payment trust signals and logos on your payment pages. Make paying easy, but don’t unnecessarily store customer data, either. Encourage customers to use strong passwords.
  4. Verify card and address details to reduce the risk of fraudulent transactions. This can sometimes cause minor inconveniences for customers, but it’s all part of operating a safe business. Use unique tracking numbers for every transaction to combat chargeback fraud. Geo-targeting can also help eliminate fraudulent transactions. (Watch out for non-monetary fraud too, like the distribution of fraudulent voucher codes.)

Importance of staying up-to-date

Updates are super important for security; vulnerabilities or attacks are often caused by slow or inadequate updates to software, code, and hardware.

  1. When doing a major update, back up your store and its assets for safety.
  2. Updates to your content management system and its plugins all need to be implemented rapidly. Third-party plugins can be especially vulnerable to attacks, so only install the ones you definitely need.
  3. Slimming your backend code from time to time is a great way to spot any lurking issues or vulnerabilities.

Create a culture of safety

For new retailers, a lot of security comes down to attitude. Don’t spend all your efforts on expensive marketing and product photography and then invest peanuts in the actual security and longevity of your business. Security is something you need to take seriously, and with all the possible solutions out there, it’s not that hard to partly outsource your cyber security.

  1. Don’t just buy security software and expect it to do all the work for you. You need to educate yourself about different layers of security to be in full control.
  2. In the need for speed, customers often go for easy passwords. Encourage customers to set secure passwords using a traffic light system, and make the use of special characters and numbers compulsory.
  3. Make sure that staff understands how to treat sensitive customer details. The biggest security breaches still come from human error.
  4. You want to have no vulnerabilities in your supply chain. Make sure that your retail outfit is as secure as your web one.
  5. Security extends to hardware and servers too. Make sure they are checked and maintained by certified IT professionals.

Going for the highest level of security might seem like the best option, but if your spam filters are too strong or the user request limits too stringent, you might end up actually harming customer experience by blocking out completely legitimate traffic. There is no way to 100% mitigate this problem, but a lot of security software does give you the option of override functions and features. Speak to your security specialist to get a solution that best fits your needs and approach with caution. As the Internet of Things grows apace, the challenges of data management and security splinter off and become even more complex. For e-commerce retailers joining the fray, security needs to be one of your core concerns. Operate a secure website, and you will have a secure business. What’s your biggest e-commerce security challenge right now?  

patrickfoster.png

About the Author: Patrick Foster is an e-commerce marketer with 15+ years in the industry. He is currently writing as a side hustle; he loves to create content for entrepreneurs that helps them succeed and create businesses that are likely to go the distance. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!