Practical Ecommerce

Protect Customers' Data Or Lose Your Business

Back-end store security: It’s the most important, yet the oft-overlooked parameter of running an online business. Without securing customer data, you have no claim to running a legitimate business.

I often hear excuses of ignorance, which makes me wonder how many online store owners take the time to read the latest ecommerce news and even merchant account information that comes in the mail? But it doesn’t matter. You’ll learn now, and you’ll commit-right now-to taking the steps to make it right.

I’ve my own gripes and rants about the lack of attention to security, and they’re vast. So I’ve picked a few key points and will preface with this fact: Nearly 80 percent of the online stores, upon my first entry, compromise customer information and sensitive sales information. Most heed to the warnings, but I have had to outright refuse to work on stores that ignored recommendations and continued to violate either legal or moral issues when it comes to security. Forget about what a customer might “feel like” if his/her card number was made public due to a hack, think about the legal ramifications. I assure you, there are so many you likely could not afford them.

Never store credit card numbers

You should never have to store credit card numbers. I don’t care about Amazon and the other guys who allow customers to store this info-they have much more invested and lawyers on retainer to handle these types of things. Every online store should be using a payment processing gateway. Some of you, to save money, like to take the numbers and run them in the same terminal you use to swipe cards in the brick-and-mortar. The difference is, a swiped card should never leave the customer’s sight. Card numbers entered online are a totally different story.

Last month, for the third time, I had to update an American Express number for a client on monthly billing. Three times in four months his card number (one time only a week old) was being circulated after he used it to order goods online. Since I doubt he’s ordering from “questionable” businesses, I can comfortably attribute his horrible experience to lax of security.

Since payment gateways tie transactions to an actual transaction ID, there’s no need for merchants to know the card number at all when capturing, voiding or submitting credits.

Customer data should be held in the same secure manner. Unfortunately, so many smaller businesses grant employees and contractors full access to backend systems that even when an issue does occur, they’re left with nothing but wonder as to who did what. That’s why separate, unique logins and passwords, as well as restrictive access, is so necessary. There’s good money in providing lists, however acquired, of customer names, email addresses and mailing addresses, especially if they’re accompanied by a list of product purchase histories.

Keep software updated

Firewalls, SSL encryption, frequent system scans for spyware and viruses, and so on…Use them, keep them updated and instill good practice. One insecure link makes the entire process insecure, leaving you and your company vulnerable. If the legal fees aren’t enough to shut you down, the news stories that follow most certainly will.

Aside from ignorance, the most compelling argument to worry about certain security issues is money. Payment gateways cost money and so does software and SSL certificates. Consider all these an investment, however. An investment in the money you’ll be able to bank because you won’t be slapped with hefty fines. I can think of much better ways to make the seven o’clock news.

Pamela Hazelton

Pamela Hazelton

Bio   •   RSS Feed


Sign up for our email newsletter

Get the Practical Ecommerce RSS feed

Comments ( 4 )

  1. Legacy User April 15, 2008 Reply

    I would love to use a payment gateway. Unfortunately, I don't charge until I ship which could be 6 to 8+ weeks out (custom products). So currently I collect numbers and run the transaction on the terminal when the item ships (just like you mentioned in the article).

    Last I checked into payment gateways, 30 days was the max the would hold a transaction to be completed. That absolutely doesn't work for me. Maybe I am missing something in how this process works. If anyone knows of a gateway that would work for the above scenario, can they point me towards it. it seems like a simple service but I couldn't find any payment gateways that offered this service. I would love to have nothing to do with this credit card info.

    I hope someday some type of smart card swipe is included on computers so we (and the consumer) don't have to mess with all of this stuff. It annoys me that we have to deal with the poor security of the credit card payment system. Why am I responsible for protecting their poor systems sensitive information while they rake in profits and write off fraud as a cost of doing business. Obviously the cost benefit ratio hasn't reached the threshold for them to fix the system so they push the responsibility (and cost!) down to the small business owner. Good for them, but bad for us. I suppose this is what happens when something is a monopoly.

    No I don't want to charge at order time instead of ship because this is for large amounts. $500-$1000. You would be annoyed too if you made a purchase for that much and got charged 6-8 weeks before you received the item. Can you say cart abandonment… Paypal and Google will not work for our type of customers (BtoB). I'm not going to make them jump through that hoop. Perhaps Bill Me Later, But i still need basic secure credit card options.


    — *aw*

  2. Legacy User April 15, 2008 Reply

    You might want to look into changing your process to something like a Bill Me Later plan just as you mentioned. Or even change your process to a "pre-order" scenario and have it automated to send the customer a link to fill out the information for payment 3 weeks later (to meet the requirements you mentioned above). that would give them the benefit of filling out the payment information only once and you the benefit of delaying receiving the payment to later. You could adjust the three week period to meet what you feel are most of your customers needs (4 weeks, 5 weeks, at a certain point in production, whatever you are comfortable with). You might need a programmer for it but you could likely find one to make the changes from a service lik where you can state a budget and vendors bid on the project.
    Although I don't take credit card information at all in my business, I've heard that Quick Books merchant services has functionality to help protect card information that you process yourself. It might be worth a call to them as well.

    Hope that helps

    — *Nicole Vikhlyantsev*

  3. Legacy User April 17, 2008 Reply

    We have discussed the pre-order scenario before. The problem with this plan is that we give them 3 more weeks to back out of the purchase. As these are custom products, this can cause many problems. Even if we charge the usual 20% restocking fee, I don't yet have the credit card info to charge that fee!

    I know that giving your credit card number to someone isn't a contract to buy. But a lot of people feel that way. I think people are more likely to see the purchase all the way through having given the credit card info. I don't have any proof of this, but on the surface it seems that this method would increase lost orders. 3-4 weeks is a lot of time to shop around more….

    — *aw*

  4. Legacy User June 11, 2008 Reply

    Hello, Pamela,

    Thank you for your excellent article. I use and their Fraud Detection Suite for online credit card processing and RBS Lynk transfers the proceeds to my business bank account.

    For me, after the transaction has been approved via, and I review it, all I need is the customer's shipping address, email address and which products they bought. Therefore, I do not use customer sign ups or log ins because I do not want to collect any more data than is absolutely necessary.

    I renewed my Godaddy SSL secure site certificate which is now good until 2013. It states: "This Web site is secured with a Web Server Certificate. Transactions on the site are protected with up to 256-bit Secure Sockets Layer encryption."

    I use Trend Micro PC-Cillin Internet Security 14 which I have set to update and scan daily. I also do daily manual virus and spyware scans. I keep my OS updated regularly – One computer has Windows Vista and the others have Windows XP SP2.

    Also, my network router is set to use WPA-PSK (TKIP) + WPA2-PSK security encryption to protect my wired and wireless connections. Of course, I changed the default SSID.

    Pamela, do I have it all covered or is there more I should do?


    — *Stephanie Walsh*