In this extensive article we outline 6 highly effective ecommerce security tactics for keeping your business safe from cybercriminals.
Every year, the scope and impact of ecommerce security threats expand. Ecommerce businesses must adhere to PCI DSS rules, but many choose to take further data security measures to build consumer confidence and minimize the effects of data breaches. Boutique sites and large retailers alike need current and compliant security measures to protect their ecommerce sales in 2018 and beyond.
Typical Ecommerce Security Issues
The average cost of a sensitive data record in 2016 was $158, and the average cost of a breach rose to $4 million. The Identity Theft Resource Center recorded 1,093 breaches in 2016. Credit card and debit card information accounted for 13.1% of the exposed records during that time. Fraud, DoS, man-in-the-middle, phishing, and ransomware all represent potential security threats in the ecommerce space. The cost of a single breach is too high for any business to ignore.
PCI DSS, the security standards governing all payment card data-handling activities, provides a strong foundation for cybersecurity. It does not, however, dictate specific tools, terms, or methodologies to protect online ecommerce transactions. Every business must assess vulnerability and choose the appropriate measures for their situation.
Ecommerce Security Threats Facing Your Business
There are a wide variety of threats facing today’s online retailers. In order to better understand the importance of ecommerce security, you’ll first need to understand the various risks you’ll need to account for.
Virtually any software you’re using to run your business, even the platform or extensions themselves, will contain vulnerable weak points that savvy attackers know how to exploit. Here are a few of the most common ways to do so:
Cross-site scripting may not directly impact your business, but the threat to your customers is very real. Sophisticated cross-site scripting attacks can deliver customer credit card information, in spite of utilizing a third-party payment processor and HTTPS encryption.
Phishing is another ecommerce security threat where criminals pose as legitimate entities in order to access sensitive information. These attacks typically come in the form of legitimate-seeming emails, landing pages, or websites that have been designed to capture sensitive information.
The attacker poses as a legitimate organization, typically one your business is already connected with, and asks for anything from account information, login credentials, and other data that could open you up to a wide array of vulnerabilities.
These fraudulent interactions are also commonly used to install malware that can steal such information or record the keystrokes necessary to gain unauthorized access. Phishing is one of the greatest ecommerce security issues facing businesses today and one that absolutely needs to be addressed in your security strategy.
SQL injection is a threat to any site that makes use of an SQL database, including major platforms like Magento. Here the attacker includes malicious SQL statements as a part of an otherwise legitimate SQL inquiry, potentially giving them access to your database(s) and allowing them access to sensitive information.
Distributed Denial of Service
Another common ecommerce security issue, distributed denial of service (DDoS) attacks, overwhelm servers with requests, typically from hundreds or thousands of compromised IP addresses.
These attacks results in your website being taken offline temporarily, resulting in the inability for your users to interact with the site and complete the orders they would normally be making. Typically these attacks target larger ecommerce retailers, but smaller stores are also at risk when a host or DNS provider is targeted.
A study by Distil networks determined that malicious bots account for 15.6% of the average ecommerce site’s traffic. Bots can be used to harm your ecommerce business in a variety of ways, such as:
- Price Scraping – Used to identify competitor pricing, typically in order to undercut the competition.
- Fraudulent Login – Bots are capable of using brute force attacks to guess legitimate user credentials, giving access to the bot owner or allowing them to sell it to a third party.
- SEO Impact – Scraping bots can produce duplicate content on your website that Google penalizes, in turn hurting your rankings.
- Fraudulent Purchases – Bots are able to guess CVV numbers for stolen credit cards, allowing their owners to make fraudulent purchases.
Now that we’ve identified some of the most common ecommerce security threats facing your business, let’s move onto how you can protect against them most effectively.
Six Tips to Improve Your Ecommerce Security
Use these tips to create and optimize an ecommerce security program designed to withstand and minimize attacks in our ever-changing threat landscape:
1. Choose service providers wisely
Many ecommerce businesses rely on outside vendors to support hosting, data storage, POS maintenance, and payment processing needs. These third-party providers add complexity to your ecommerce security strategy and play a part in mitigating or creating risks. And when it comes to your ecommerce applications, any downtime puts your business in jeopardy.
Service providers that come into contact with your sensitive data must adhere to the PCI DSS 3.2 standards. Businesses should vet all providers for compliance and security before agreeing to use their payment card handling, storing, or processing services. Coordinate with your vendor to implement processes for detection, prevention, and failure alerts, including firewalls, anti-virus systems, advanced encryption, two-factor authentication, physical and logical access controls, auditing mechanisms, and segmentation controls.
Look for a hosting provider that meets the following criteria:
- Uses 256-bit encryption
- Performs regular backups
- Maintains comprehensive logs
- Offers network monitoring
- Provides written policies and procedures, including data breach protocols
- Demonstrates their dedication to compliance and security through their credentials—PCI compliance audits, SSAE16 Type II, SOC 1, and SOC 2 to name a few
2. Prioritize PCI compliance and security
PCI compliance governs the minimum requirements for network and wireless security. It only takes one vulnerability for your website or network to be compromised.
“Breached sites are constantly found running a three-year-old version of PHP… Patch your systems. Patch everything immediately—literally the day they release a new version,” says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks. Remember that your systems and applications should be audited and tested regularly as part of your security policy.
Many ecommerce security problems have one root cause: Attackers gain access to raw credit card information from your merchant systems. Tokenization eliminates the need to store your customers’ payment information directly, therefore reducing risks—you never have to transmit sensitive information through your own systems.
If you don’t understand your responsibilities or don’t want the stress of keeping up with the latest in ecommerce security technology, work with a PCI compliance and security consultant who can help. Employee training, testing/monitoring, and policy development are equally important and compliment the technology you implement.
3. Train employees
Inside data access plays a role in approximately 60% of cyberattacks. Some involve malicious intent, but others suggest ignorance. Employees who don’t recognize the red flags of a phishing attempt or spoofing attack will not take steps to avoid them and report the vulnerability. Consider cybersecurity a mandatory part of employee orientation and ongoing training requirements. Password creation, access control, recognizing the signs of an attack, and remediation practices can all strengthen your business’ ecommerce security prevention and response plans.
4. Maintain SSL certificates
“It can be a leap of faith for customers to trust that their ecommerce site is safe, particularly when web-based attacks increased by 30% last year. So, it’s important to use SSL certificates to authenticate the identity of your business and encrypt the data in transit,” says Rick Andrews, technical director, Trust Services, Symantec.
SSL authentication protects both cardholders and ecommerce businesses from fraud. The certificate uses encryption protocols to protect transactions as they travel along the network. The behind-the-scenes process ensures cardholder data matches information on file with a card provider and protects a valid cardholder from sending money to cybercriminals attempting to gain access to the e-commerce site.
5. Monitor ecommerce activities
Look for inconsistencies in financial transactions on a routine basis. Different billing and shipping information, IP address changes, and anonymous email account purchases may constitute red flags for fraud. Investigate and confirm any suspicious purchases to protect your business from malicious ecommerce scams.
You’ll also want to use access control policies to minimize the number of employees who come into contact with financial information. Log management and access control rules within the system will ensure a limited number of individuals can view and/or manipulate sensitive data.
6. Conduct vulnerability and penetration testing
Continually assess systems for endpoint vulnerabilities, network weaknesses, and suboptimal ecommerce security solutions. Use ongoing assessments to strengthen hosting, networking, and data storage arrangements over time.
Work with an internal team or security contractor to conduct simulated attacks on business systems. These penetration attacks often reveal missed vulnerabilities and enable companies to optimize patch management and log management systems. Every addressed vulnerability reduces a criminal’s ability to attack your business.
Ecommerce offers businesses a way to quickly and automatically process transactions and move product. Risks come along with the benefits of this increasingly popular purchasing method. Take the time to manage the risks to prevent and minimize damage during an attack with robust and ongoing ecommerce security practices. Cybersecurity is not a one-time fix. Shielding small and large organizations from both pointed attacks and crimes of convenience requires vigilance and persistence.
If you have questions or concerns regarding PCI DSS compliant hosting or managed security services for your e-commerce business, please contact an OnRamp expert.