Practical Ecommerce

Simple Questions to Improve Ecommerce Security

New data breaches and hacking threats are in the news. Ecommerce sites are prime targets for attack, especially during the approaching holiday season. The bad guys love all the valuable customer data that passes through ecommerce sites and know that merchants are focused on sales, not their web servers. You can’t take the risk that poor site security makes you and your customers vulnerable.

If you use a hosted ecommerce platform and leave all the infrastructure responsibility to the provider, you rely heavily on its sales message that says it’s secure. Or if you host your site on a dedicated web server, then your webmaster needs to be on top of your security. Either way, you should take the time to dig deeper into the safeguards you have in place.

If you use a hosted ecommerce platform and leave all the infrastructure responsibility to the provider, you rely heavily on its sales message that says it’s secure.

Here are a series of simple questions you can ask to help ensure your ecommerce site is safe – and help you sleep better.

Control Administrative Access

Strong user name and password requirements are needed for every login we use today. Login credential strength is critical for administrative access to your site and for the servers that host it. If your admin login data is compromised, the bad guys gain unrestricted access to everything on your site. Make sure that user names, passwords, and any credential authentication are very strong and are changed at least every three months.

The strength of user names and passwords is directly related to the length of the “string” — it should be at least 8 to 12 characters — and the character types used. Strong passwords would include at least one of every character type: letter, uppercase letter, number, and symbol. Check your system for specific minimum and maximum length and character support guidelines. You should also consider two-factor authentication, whereby the administrator is required to provide two means of identification: a personalized user name and password combination and a token-based code that only the administrator has physically.

Also, know exactly who has administrative access to your server. Not many people, likely including you, actually need that level of access. You should avoid adding new admin users for convenience reasons. The more admin users you have, the more opportunities for a security lapse. Create accountability for infrastructure administration with only a limited few trained, trusted staff.

Control access to your site by asking these questions to your web host and administrators.

  • What are your login credential requirements?
  • How often are passwords changed?
  • Who has administrative access and passwords for your server?

Limit Customer Data Storage

Your customer data is what criminals find most valuable. You can reduce the impact of a data breach by limiting the data stored on your servers. A strategy to keep little or no customer data becomes a strong security technique itself.

To start, get a clear understanding of what customer data is being captured, passed, and stored when someone visits or transacts on your store. Then know why you are keeping any sensitive personal data and, if so, for how long. You may be surprised how little data needs to be stored on your systems to operate your business effectively.

For example, all financial data can simply be passed securely to and managed by your payment gateway. PCI security standards dictate that you cannot store credit card numbers, expiration dates, and CCV codes. How would you use that financial data in the future anyway? There is likely no extra benefit to you, but an enormous amount of risk.
Work with your webmaster to limit the personal data being stored. Ask her these questions.

  • What types of data is being captured and stored on your servers?
  • How is that data being used to run your business?
  • Where is the data being stored and encrypted?

Use a Trusted SSL Certificate

Implementing a strong SSL certificate from a trusted vendor can go a long way, for very little cost. You gain the technical backing and vigilance of a company dedicated to encryption technology. Plus, you can proudly display the provider’s seal on your site to demonstrate to your shoppers that it’s safe to buy from you.

Evaluate the vendor of the SSL certificate by its dedication and focus on security technology, level of experience (years in business), clearly defined accountability, guarantees and liability for damages, and customer service. Lower price does not necessarily mean less secure. But ask yourself, “Who is accountable and has something to lose if there is a failure?” Open source cannot claim true accountability for its technology.

To find out more about how SSL is implemented on your site, ask your webmaster or host these questions.

  • What brand of SSL certificate is used?
  • What pages and data are protected by encryption?

Detect and Protect

Server administration is commonly thought of for uptime maintenance and performance management. Your server administrator is also responsible for implementing security applications on your servers. These security applications can protect your web server against the installation of malicious code and viruses and can respond to hacking attacks.

Your front line of defense is a firewall. In particular, the application layer of your server must be protected by a firewall. The firewall actively detects and denies access to your server from known attacks.

You also should have additional layers of protection for applications that pass data into or through your site. Customer logins, email subscription forms, and “contact us” forms are prime targets for a hacker to attack to your systems. You can easily add more security code that can quickly detect, block or remove any malicious code attempted to be installed on your server.

Ask your server administrator these questions.

  • What firewalls are used on your server?
  • What defenses are prepared against a denial of service attacks?
  • What additional intrusion detection and removal systems are in place?

Keep Current, and Back Up

Securing your website and the server that hosts it is not just a one-time checklist. You’ll need to be constantly reviewing, maintaining, and updating your security.

Security patches and application updates are released frequently. These updates address vulnerabilities and should be installed immediately. For example, open source shopping carts, like osCommerce and Zen Cart, or web code based on WordPress are regularly updated.

Also, make sure your web host conducts a regular security audit of your servers. This is critically important if your site is hosted on a shared server with other sites that are out of your control. These audits can identify any security programs or applications that are out of date and can help enforce updating.

Of course, you should always have a regularly scheduled backup of your site, data, applications, and relevant server information. This backup can be on a different machine at your host, off-site in a different location, in the cloud, or a combination of the three. Once you’ve decided what is to be backed up, how frequently, and where, then you should also understand how your host can help you get back to operational quickly in the event of a major security event or crisis with your server.

Be prepared by asking these questions.

  • How quickly are security patches and other updates installed when available?
  • How often is a security audit performed?
  • Where is your site code and data backed up?
  • What is the action plan if your site has been compromised?

Getting answers to these questions covers the fundamental security measures that you need to make your ecommerce site less vulnerable. Don’t just assume security is being taken care of for you. Work with your web host and webmaster to understand their comprehensive security plan and how it is being executed. Doing so can help you and your customers stay safe from most threats and attacks.

Editor’s Note: This article was updated Oct. 28, 2014, at 11:56 a.m. Mountain time.

Bob Angus
Bob Angus
Bio  |  RSS Feed


Get the Practical Ecommerce RSS feed

Comments ( 5 )

  1. Richard Siddall October 28, 2014 Reply

    That’s an amazing misconception of what Heartbleed was. OpenSSL is not an SSL certificate, it’s a code library used to implement SSL & TLS. It leaked information, regardless of who you bought your SSL certificate from.

  2. Bob Angus October 28, 2014 Reply

    Correct. Thank you for the clarification Richard. The original Practical Ecommerce article about Heartbleed makes that distinction very well.

  3. Kerry Murdock October 28, 2014 Reply

    Thank you, Richard, for catching our mistake. We have deleted the paragraph that refers to the Heartbleed bug and misstates what OpenSSL is.

    Kerry M.
    PEC

  4. Carlos Rivera October 30, 2014 Reply

    Solid and sound advice throughout this article. All of these areas deserve special attention and at least one person in the company SHOULD keeping an eye on them at most times. Thank you!

  5. Rajesh November 3, 2014 Reply

    Here are 3 steps that every ecommerce provider should undertake.
    1. SSL certification
    2. DDoS protection
    3. Vulnerability scans

    http://www.duceplus.com/

Email Newsletter Signup

Sign up to receive EcommerceNotes, our acclaimed email newsletter.
And receive a free copy of our ebook
50 Great Ecommerce Ideas