Safety Check: Security Issues with e-Commerce

Posted on April 28, 2017 by Natalie

By Lisa Cedrone

When engaging in e-commerce today, one of the biggest concerns for any business is security. “Sellers have a responsibility to their customers,” points out Ryan Lunka in an nChannel.com article on ethical issues in e-commerce, and you need to ensure that online transactions do not result in data theft or security breaches.1

Remember, whether you are a coach offering online sessions or a retailer selling products, your company is responsible for critical data when a sales transaction takes place, typically including credit card information, street address, and an email address and password if an account is involved. “Hackers can do a lot of damage to your customers with that information,” adds Lunka. “You certainly don’t want to lose your customers’ trust.”

Of all the fraud strategies now plaguing the Internet arena, identify theft is the one people lose the most sleep over, according to a Worldpay survey of 274 businesses three years ago. “According to the study, the most common types of fraud causing concern among merchants are identity theft (71 percent), phishing* (66 percent) and account theft (63 percent). Here, credit cards are the most popular target, as a fraudster does not need much to carry out a ‘card not present’ transaction.”2

* According to Wikipedia, “phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.”

Where to Focus

With so many different security issues to consider, the task of securing your website may seem daunting. And while you definitely can breathe easier if you are using PayPal or one of the many hosted platforms now available for goods and services—such as Shopify or Squarespace—it’s still important to understand what is involved in keeping your customers and your business transactions safe and protected.

Here are 15 key areas that your should consider when it comes to keeping your e-commerce site secure, according to a report by Jennifer L. Schiff in CIO magazine:3

  1. Use a secure connection for online checkout and ensure PCI compliance. Use SSL [Secure Sockets Layer] authentication for Web and data protection. It is the standard security technology for establishing an encrypted link between a web server and a browser, which ensures that all data passed between the web server and browsers remain private and encrypted in transit. Even better is to integrate the stronger EV SSL [Extended Validation Secure Sockets Layer], URL green bar and SSL security seal so customers have more faith that a website is secure. Also, the Payment Card Industry Data Security Standard (PCI DSS) must be followed by all companies that accept credit card payments. “If your company intends to accept card payment, and store, process and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider,” explains an article on PCI compliance at On LINE TECH.4 (For a summary of the PCI guidelines, see Figure 1.)
  2. Don’t store sensitive data. It’s not advisable to store sensitive records on your customers. “There is no reason to store thousands of records…especially credit card numbers, expiration dates and CVV [card verification value] codes. If you are managing your own system, be sure to purge old records and keep a minimal amount of data, just enough for chargebacks and refunds.”
  3. Employ an address and card verification system. If you enable an address verification system (AVS) and require the card verification value (CVV) for credit card transactions, you will reduce fraudulent charges.
  4. Require strong passwords. Help customers help themselves by requiring a minimum number of characters and the use of symbols and/or numbers in passwords.
  5. Set up alerts for suspicious activity. It’s possible to set alert notices for multiple and suspicious transactions coming through from the same IP address. You also can use alerts for multiple orders from the same person using different credit cards, or phone numbers that are from different area codes than billing addresses.
  6. Layer security. Make sure you have a firewall, which is essential in stopping attacks before they breach a network and gain access to sensitive information. You also can add extra layers of security to the website and applications such as contact forms, login boxes and search queries.
  7. Provide security training for employees. Employees must understand that they should never email or text sensitive data or reveal private customer information in chat sessions because none of these communication methods is secure. Educate employees on the laws and your code of business ethics and have written protocols and policies.
  8. Use tracking numbers for all orders. This is especially important if your business is drop shipping.
  9. Monitor your e-commerce site. You need to keep an eye on your site and make sure that your web hosting or e-commerce platform is doing the same. Observing how visitors interact with your site can show patterns of suspicious behavior. Also, your website host should be monitoring for malware (software that is intended to damage or disable computers and computer systems), viruses and other harmful software.
  10. Perform PCI scans regularly. Services like Trustwave can lessen the risk that your e-commerce platform is vulnerable to hacking attempts. And, if you’re using third-party downloaded software like Magento, stay current with new versions and security enhancements.
  11. Patch systems. Update your systems immediately, including the web server, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for cyber attacks.
  12. Have a DDoS protection and mitigation service. Distributed Denial of Service (DDoS) attacks (when multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for users of the targeted resource) are increasing in frequency, sophistication and range of targets. Hence, it’s advisable to use a cloud-based DDoS protection and managed Domain Name Servers (DNS) services, which will lower operational costs and improve security.
  13. Consider using a fraud management service. While most credit card companies have fraud management and chargeback services, it might be wise to invest in your own, especially if you are a small company with limited financial resources.
  14. Make sure your site is backed up and has a disaster recovery plan. What happens if there is a power outage, hard drive failure or even a virus? Make sure your site and hosting service both have a plan.
  15. Choose a secure e-commerce platform. A platform that uses a sophisticated object-orientated programming language is a good choice. Examples include significant object-oriented languages like Java, C++, C#, Python, PHP, Ruby, Perl, Object Pascal, Objective-C, Dart, Swift, Scala, Common Lisp, and Smalltalk.

 

Figure 1

Here’s a useful checklist for PCI Compliance updated in January 2017:

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
  • Use and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.
  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
  • Maintain a security policy and ensure that all personnel are aware of it.

Source: Square.

Using Certificate Authorities

A Certificate Authority (CA) is an entity that issues digital certificates, and the most commonly encountered public-key infrastructure (PKI) schemes are those used to implement HTTPS on the Internet, according to Wikipedia. Using HTTPS, the computers agree on a “code” and then they encrypt messages using that “code” so that information remains safe from hackers. The code, or digital certificate, is used on a Secure Sockets Layer (SSL), sometimes called Transport Layer Security (TLS), to send the information back and forth. In other words, SSL certificates contain the owner’s “public key.” The owner then shares the public key with organizations that need it to encrypt messages to the owner.5

If you need to select a provider, “look for CAs that follow rigorous security policies, issuance and revocation that meet and exceed the Certification Authority Browser Forum (CAB/F) standards,” advises Fran Rosch in a blog post on selecting CAs from itbusiness.ca.6 “Price may play a role in the purchasing process, however, more important considerations come into play and the lower cost SSL may not deliver the comprehensive solutions that industry-leading CAs provide.”

Rosch suggests evaluating the following when selecting a CA:

  • Diligence of the security used by the CA to protect cryptographic keys.
  • Specifically designed hardened facilities to defend against attack.
  • Hardware-based cryptographic signature systems.
  • Regular third-party audits.
  • Thorough network security and antimalware defense.
  • Enforcement of dual control certificate issuance used by the vendor.
  • Use of authentication/registration best practices to identify ownership.
  • Documented CA employee background investigations to protect against insider threat.
  • Strong history of the vendor’s trust and security.

The best-rated CA provider is Comodo, followed by DigiCert, Entrust and then GeoTrust, according to user reviews on WhichSSL.com, a site that offers comparisons in areas including prices, validation levels, encryption, speed of issuance, etc. If you are looking for a basic certificate for one domain, expect to pay from $50 to $150 per year. An EV certificate runs around $200 to $250, while more expensive options can cost up to $1500 annually.7

 

Lisa Cedrone is the editor of Transformation Magazine and a freelance editor, writer, and graphic designer working primarily in the spiritual and alternative healing communities. Prior to establishing her Sarasota, FL-based freelance business in 2008, Lisa spent 20 years as an editor/editor-in-chief for two of the Top 10 business-to-business publishers in the United States, serving the apparel manufacturing and residential construction/building markets. Her company, DragonFly Nation, offers a wide range of creative services, with an emphasis on cost-effective, turnkey editorial and design projects for both print and web. Contact her at lisa@suncoasttransformation.com or visit DragonFlyNation.com.

References

1. “Ethical Issues in eCommerce: Are you violating any of them?” by Ryan Lunka, April 21, 2015, nChannel.com, online article at https://www.nchannel.com/blog/ethical-issues-in-ecommerce/

2. “Alternative payment methods are attracting criminals,” by Kevin Lonergan, April 15, 2016, Information Age, online article at http://www.information-age.com/banking-trojans-merge-steal-over-4m-just-few-days-123461272/

3. “15 Ways to Protect Your Ecommerce Site From Hacking and Fraud,” by Jennifer L. Schiff CIO, Jun 19, 2013, online article at http://www.cio.com/article/2384809/e-commerce/15-ways-to-protect-your-ecommerce-site-from-hacking-and-fraud.html

4. “What is PCI Compliance,” OnLINETECH.com, online article at http://www.onlinetech.com/resources/references/what-is-pci-compliance

5. “HTTP and HTTPS: What do they do, and how are they different?” online tutorial at https://www.instantssl.com/https-tutorials/what-is-https.html

6. “How to choose the right Certificate Authority for your Web site,” by Fran Rosch, October 24, 2012, itbusiness.ca, blog post at http://www.itbusiness.ca/blog/how-to-choose-the-right-certificate-authority-for-your-web-site/20830

7. “SSL Comparisons,” WhichSSL.com, online comparison at https://www.whichssl.com/compare-ssl-certificates.html

 

This entry was posted in Coaching. Bookmark the permalink.