While there is a wealth of information available on the topic of website security, many of the articles available are highly technical. Accurate information written for a non-technical audience is sadly lacking. Every online store owner should have at least a basic understanding of security principles. Whether you’re a website owner, designer, marketer (or something else) this article will introduce you to the principles of eCommerce security.
There are two primary ways customers’ data is compromised: 1) when unauthorized users obtain a username and password, or 2) when hackers are able to exploit a software security hole to gain access to data.
If your online store uses a software-as-a-service platform, such as Yahoo Store or Shopify, some (but not all) of the security concerns listed below will be handled by your service provider. If your online store uses open-source or custom eCommerce software, you will be fully responsible for all aspects of your website’s security.
1. A SSL certificate is only a start
Many internet users assume that a website is fully secure and safe if the address begins with https://. An https:// website address means the the connection between your computer and the website is encrypted by a SSL certificate. This encryption keeps hackers from being able to read the shopper’s credit card information while it is being transmitted to the website, but doesn’t protect the data once it reaches the website and is stored in the website’s database.
Bottom line: You do need an SSL certificate, but it’s only a start.
2. Don’t rely on changing your passwords
Research done by Microsoft researcher Cormac Herley found that if a hacker gains your password, they will use it right away – before you get a chance to change your password. Despite this finding (which is really common sense), many web users believe that changing their password on a regular basis will protect their accounts and data.
Bottom line: Changing passwords certainly won’t hurt, but never count on it to protect your customers’ sensitive data.
3. Force password security
Passwords such as “password” or “123456” are easy to guess. Some hackers use robots to break into accounts by trying to login using different common passwords – they just keep trying until they find the right password. In fact, Syrian President Bashar al-Assad’s email account was recently hacked because his password was, you guessed it, 12345. To make your site less susceptible to password cracking, start by ensuring that ftp, database, and all other passwords meet industry-recommended password guidelines. (A good place to start is an 8-character minimum, with numbers and special characters.) You should also setup your eCommerce software to require that all user-selected passwords meet minimum security guidelines.
Bottom line: Ensure that every password that can be used to access your site meets minimum security guidelines.
4. Encrypt data in your database
Any highly sensitive data in your database should be encrypted. In most cases, this includes account passwords, tax-IDs, and all payment information. Encrypted data is somewhat harder for a hacker to gain access to (though not foolproof). In most cases, you should avoid storing credit card information at all (see #7 below).
Bottom line: Ensure your eCommerce software encrypts sensitive data.
5. Protect your forms from exploitation and injection
Web forms, including contact forms and checkout pages are common weak spots hackers can use to gain access to the source code or database of your website. There are many different ways hackers can use an exploit, ranging from inserting links or viruses on your site to accessing data in your database. Forms should be coded to properly validate input and reject any code injection.
Bottom line: If you are using open-source software, ensure the core software and any plugin you use has features to resist code injection via forms. If your site is custom-coded, ensure the programmer has coded all forms to resist exploitation or injection.
6. Ensure any known security vulnerabilities are quickly updated
If your online store runs on open-source (or purchased) software, stay up-to-date on new releases and security notices. If a security flaw is found, apply the appropriate fix or update immediately. Most software packages offer an email list to alert you when an update is needed.
Bottom line: Apply the needed fix or update to your site immediately when there is a security flaw.
7. Don’t store credit card numbers
One of the simplest ways to protect your customers’ payment details is to not store the data – hackers can’t access data that isn’t there. If you do have to store payment details for some reason, you’ll need to be extra careful to follow the relevant portions of the PCI Standards (a set of mandatory security guidelines all websites that accept credit card payments must follow). If you need to store credit card numbers, you can use a feature like Authorize.net ARB or Authorize.net CIM to store the data securely on Authorize.net’s servers.
Bottom line: Don’t store credit card numbers unless you absolutely must, then use the most secure option possible.
8. Setup safeguards for customers’ logins
If a hacker gained access to a customer’s account, would they be able to place an order billed to the customer but shipped to them? Worse still, would they be able to access the customer’s credit card number? If your site allows users to login to access order history or place an order, ensure that you have safeguards in place to keep a hacker from wreaking havoc if they gain access to a customer account.
Bottom line: Ensure hackers can’t gain sensitive data or place unauthorized orders by accessing customer accounts.
9. Allow access to data on an as-needed basis
An often overlooked source of security breaches is dishonest employees or vendors. To minimize the risk of an employee or vendor selling or using customer data for their own purposes, limit each user to have access to only the level of data they need. Speak with your lawyer about your limiting your liability.
Bottom line: Minimize risk by setting user account permissions to only allow access to the data each user needs.
Note: Website and data security encompasses many legal and technical aspects – this article is not a comprehensive guide. This article is designed to help you understand the issues at stake and give you the information you need to hire expert assistance if needed. An attorney and a programmer who specializes in security issues will be able to help you minimize your risk of a security incident.
About the Author: Marjorie Yao is the Assistant Website Manager for Small Business Domain, a website offering reviews and coupons for web hosting, domains, and eCommerce platforms from Yahoo, GoDaddy, and other providers.