5 Security Essentials for Ecommerce SitesBy Khurram Aziz
If you run a business online yourself, or you have a client who does, you’ll know that ecommerce sites are a major target for hackers and fraudsters. Just think about the thousands of credit card details and other personal information a typical ecommerce site stores. That’s what makes these sites, big and small, so attractive to criminals.
Before embarking on an ecommerce project, you need to ensure that all the necessary systems are in place to cover up any holes in your security. This article, which is based on conversations with ecommerce and security specialists, will list five of the most important security essentials for anyone running an online business.
These tips, while far from comprehensive, will outline the most commonly exploited vulnerabilities and the most effective way of safeguarding against them. Most of these are simple solutions anyone can implement and should be considering as part of a “basic” security check before opening any online retail environment.
Use SSL certificates and ensure PCI compliance
The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards that the credit and debit card industry has set for merchants who process card payments. In order to be in compliance, you need to guarantee protection for cardholder data and implement strong access control measures, among other things.
Even if you are using payment gateways, you’ll be handling customer data and should ensure PCI compliance. The same goes for using Secure Sockets Layer (SSL) authentication which is a must to ensure secure communication between your customers and your server.
“Your customers are putting a great deal of trust in any transactions they undertake on your website,” explains Jeff Chandler, marketing executive at DigiCert, an SSL certification company. “Ensuring that every web page on your site that deals with secure data is SSL certified and your payment gateway is PCI compliant, is the minimum you can do to protect customers.”
Don’t hang on to customer data
Under most circumstances, there is no need to hold onto thousands of records on your customers, especially when it comes to credit card numbers, CVV2 numbers and expiration dates. In fact, under PCI standards, it’s forbidden.
Security experts say you should regularly purge old customer records and keep a small amount of data on your servers to process refunds and charge-backs.
“Of course, for email and marketing campaigns you’ll want a record of names, emails, phone numbers, and perhaps addresses of your customers,” says Carolyn Brackett, vice president at CyberSource, a company that helps process credit card payments for businesses. “But you need to think carefully about what and how much data you do store considering the risk you are putting your customers under.”
Have multiple layers of security
Layering security is an essential deterrent to cybercrime, according to internet security expert Allen Grayson, an engineer at Symantec.
“This starts with firewalls which stop attackers gaining access to your network,” says Grayson. “From there you add layers of security on contact forms, secure passwords for logins, and search queries.”
These various layers are some of the best ways to protect from application-level attacks such as cross-site scripting and SQL injections.
Ensure DDoS protection with cloud-based services
Distributed Denial of Service attacks have grown in frequency and are increasingly sophisticated. In response companies can sign up to cloud-based services that “scrub” any unwanted traffic. Some of the higher end services offer managed DNS services to provide transaction capacity and make it more difficult for DDoS attacks to be successful.
“For cloud-based DDoS protection to work, you need to send your traffic through a good DDoS protection service that has scrubbing nodes that filter legitimate traffic back to your site.” explains Richard Elder, chief executive at SwitchVPN. “This move alone can eliminate a significant cost for companies which try to mitigate against this common attack on their own.”
What’s more, a cloud approach can also help deliver to online business a 100% DNS resolution, which improves the availability of internet system as well as the communications between your site and your customers.
Install security patches on your system regularly
You shouldn’t wait even a day to install a security patch after its release. That covers everything from WordPress or Magento updates, to third-party code like Perl, Java and Python.
“One thing that almost all breached sites have in common is that they are generally found running old versions of software and code,” says Susan Watkins, chief strategist at searchengineoptimisation.org.za.
Watkins believes that you should install patches on all software, paying particular attention to WordPress, Joomla, and other web apps, like OSCommerce and ZenCart. These are particular targets of attackers and should be regularly checked for updates.
These are by no means the only steps you should take to make your ecommerce site as secure as possible for your customers, your clients and yourself. But they do offer a basic checklist: if you’re not taking these five steps, your ecommerce is simply not as secure as you think it is.