Every year, the scope and impact of cyber threats expand. E-commerce businesses must adhere to PCI DSS rules, but many choose to take further data security measures to build consumer confidence and minimize the effects of data breaches. Boutique sites and large retailers alike need current and compliant security measures to protect e-commerce sales in 2017.
Explore E-commerce Risks
The average cost of a sensitive data record in 2016 was $158, and the average cost of a breach rose to $4 million. The Identity Theft Resource Center recorded 1,093 breaches in 2016. Credit card and debit card information accounted for 13.1% of the exposed records during that time. Fraud, DoS, man-in-the-middle, phishing, and ransomware all represent potential security threats in the e-commerce space. The cost of a single breach is too high for any business to ignore.
PCI DSS, the security standards governing all payment card data-handling activities, provides a strong foundation for cybersecurity. It does not, however, dictate specific tools, terms, or methodologies to protect online e-commerce transactions. Every business must assess vulnerability and choose the appropriate measures for their situation.
Use These Six Tips to Protect Your E-Commerce Business
Use these tips to create and optimize a cybersecurity program designed to withstand and minimize attacks in an ever-changing threat landscape:
- Choose service providers wisely. Many e-commerce businesses rely on outside vendors to support hosting, data storage, POS maintenance, and payment processing needs. These third-party providers add complexity to your security strategy and play a part in mitigating or creating risks. And when it comes to your e-commerce applications, any downtime puts your business in jeopardy.
Service providers that come into contact with your sensitive data must adhere to the PCI DSS 3.2 standards. Businesses should vet all providers for compliance and security before agreeing to use their payment card handling, storing, or processing services. Coordinate with your vendor to implement processes for detection, prevention, and failure alerts, including firewalls, anti-virus systems, advanced encryption, two-factor authentication, physical and logical access controls, auditing mechanisms, and segmentation controls.
Look for a hosting provider that meets the following criteria:
- Uses 256-bit encryption
- Performs regular backups
- Maintains comprehensive logs
- Offers network monitoring
- Provides written policies and procedures, including data breach protocols
- Demonstrates their dedication to compliance and security through their credentials—PCI compliance audits, SSAE16 Type II, SOC 1, and SOC 2 to name a few.
- Prioritize PCI compliance and security. PCI compliance and governs the minimum requirements for network and wireless security. It only takes one vulnerability for your website or network to be compromised.
“Breached sites are constantly found running a three-year-old version of PHP… Patch your systems. Patch everything immediately–literally the day they release a new version,” says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks. Remember that your systems and applications should be audited and tested regularly as part of your security policy.
Many security problems have one root cause: Attackers gain access to raw credit card information from your merchant systems. Tokenization eliminates the need to store your customers’ payment information directly, therefore reducing risks—you never have to transmit sensitive information through your own systems.
If you don’t understand your responsibilities or don’t want the stress of keeping up with the latest in security technology, work with a PCI compliance and security consultant who can help. Employee training, testing/monitoring and policy development are equally important and compliment the technology you implement.
- Train employees. Inside data access plays a role in approximately 60% of cyberattacks. Some involve malicious intent, but others suggest ignorance. Employees who don’t recognize the red flags of a phishing attempt or spoofing attack will not take steps to avoid them and report the vulnerability. Consider cybersecurity a mandatory part of employee orientation and ongoing training requirements. Password creation, access control, recognizing the signs of an attack, and remediation practices can all strengthen your business’ cybersecurity prevention and response plans.
- Maintain SSL certificates. “It can be a leap of faith for customers to trust that their ecommerce site is safe, particularly when web-based attacks increased by 30% last year. So, it’s important to use SSL certificates to authenticate the identity of your business and encrypt the data in transit,” says Rick Andrews, technical director, Trust Services, Symantec.
SSL authentication protects both cardholders and e-commerce businesses from fraud. The certificate uses encryption protocols to protect transactions as they travel along the network. The behind-the-scenes process ensures cardholder data matches information on file with a card provider and protects a valid cardholder from sending money to cybercriminals attempting to gain access to the e-commerce site.
- Monitor e-commerce activities. Look for inconsistencies in financial transactions on a routine basis. Different billing and shipping information, IP address changes, and anonymous email account purchases may constitute red flags for fraud. Investigate and confirm any suspicious purchases to protect your business from malicious e-commerce scams.
You’ll also want to use access control policies to minimize the number of employees who come into contact with financial information. Log management and access control rules within the system will ensure a limited number of individuals can view and/or manipulate sensitive data.
- Conduct vulnerability and penetration testing. Continually assess systems for endpoint vulnerabilities, network weaknesses, and suboptimal security solutions. Use ongoing assessments to strengthen hosting, networking, and data storage arrangements over time.
Work with an internal team or security contractor to conduct simulated attacks on business systems. These penetration attacks often reveal missed vulnerabilities and enable companies to optimize patch management and log management systems. Every addressed vulnerability reduces a criminal’s ability to attack your business.
E-commerce offers businesses a way to quickly and automatically process transactions and move product. Risks come along with the benefits of this increasingly popular purchasing method. Take the time to manage the risks to prevent and minimize damage during an attack with robust and ongoing security practices. Cybersecurity is not a onetime fix. Shielding small and large organizations from both pointed attacks and crimes of convenience requires vigilance and persistence.
If you have questions or concerns regarding PCI DSS compliant hosting or managed security services for your e-commerce business, please contact an OnRamp expert.
Additional Resources on This Topic
SMB Security Tips: Don’t Leave the Door Open for Hackers
Preparing Your Retail Website for 2017
How to Protect Your Ecommerce Store from Payment Fraud
Three Managed Security Solutions Essential to Combat a Security Breach