Site security is an important part of running an online retail business. Before the holiday shopping season arrives and your online store experiences increased traffic, it is important to check your site and ensure that you’ve done what you can to avoid a data breach.
While there are certainly many things that can or should be done to product your site, what follows are four suggestions for improving or at least checking on your site’s security.
In each case, you may need to do a little work. For example, checking on your ecommerce platform is not necessarily simple or easy. Neither is ensuring that you don’t store payment information in your database. Rather, these four suggestions are intended to help you get started as you review your ecommerce security ahead of the holiday season.
1. Don’t Keep Payment Information Data
When shoppers visit your online store to purchase gifts for loved ones and friends, those shoppers expect your ecommerce business to keep their payment information safe.
If your store allowed customers’ payment information to fall into hackers’ hands, you might have to pay tens of thousands of dollars in fees, fines, and damages. Large companies would pay even more.
If your store allowed customers’ payment information to fall into hackers’ hands, you might have to pay tens of thousands of dollars in fees, fines, and damages.
The very first way to avoid this sort of breach is simply not to keep payment information. Do not store it on your servers or in your database. In fact, as much as possible do not allow your systems to come into contact with payment information.
Many providers, including Braintree, Authorize.Net, and PayPal, offer services that will allow you to off load payment information directly to them. These same services can even allow for subscription or repeat orders.
There is simply no good reason for small and mid-sized online merchants to keep and store payment card information.
In the most ideal case, your customers’ payment information goes directly from the browser to the processor, bypassing your server completely, so that if your site is breached, there will not be any payment information to be stolen.
2. Ensure Your Ecommerce Platform Is Secure
Software developers work hard to secure the applications they write. Nonetheless, ecommerce platform software may have vulnerabilities. Whenever one of these vulnerabilities is discovered, patches are released to plug up the hole.
SQL injection and cross-site scripting are two of the most common attacks against ecommerce platform software.
In an SQL injection, the malevolent attacker uses form fields on your site or server requests to inject malicious SQL database statements.
Looking for an SQL injection vulnerability may be as simple as typing an apostrophe (‘) into a form field and submitting the form. If the site is vulnerable, it may return an error that provides the attacker with useful information about your site. Eventually, the attacker may be able to compose an SQL injection that would return password information or worse.
SQL injection and cross-site scripting are two of the most common attacks against ecommerce platform software.
Cross-site scripting injects malicious code into your site. As an example, if your site has a cross-site-scripting vulnerability, an attacker could include JavaScript in a GET request. The attacker could then create a link to the resulting URL, and email that link to some number of folks as if it were a marketing message from your site. The link and its associated JavaScript could then capture user credentials and ultimately give attackers a way in.
To avoid these sorts of attacks, make certain that your ecommerce platform is up to date. Search for recent articles about vulnerabilities in your platform, and review any extensions that you may have integrated into your site. You also want to make certain that your ecommerce platform properly escapes (this will make sense to developers) all untrusted, user submitted input.
3. Scan Your Site for SQL Injection, Cross-site Scripting, and Other Vulnerabilities
There are many services that will scan your website for possible vulnerabilities and malware. For example, Qualys’ Vulnerability Management solution will look at your site and network, scanning for potential vulnerabilities, and even, in some cases, helping you solve the problem.
Similarly, Symantec’s Web Security solution helps you identify possible site vulnerabilities and emails you a warning.
There are even some free scanners available. Aim to have your site scanned daily.
4. Make Sure Your Server Is Secure
Although it is your ecommerce site that holiday shoppers interact with, your server is also engaged and potentially vulnerable. In fact, recall the Heartbleed Bug from last year, which made it possible to attack OpenSSL on some web servers.
For small and mid-sized retailers, verifying server security for the holidays may be as easy as employing a good hosting provider.
In general, avoid shared hosting environments; always opt for dedicated hosting. In a shared environment, it can be much easier for other users to exploit, as an example, a permissions error on some directory.
For this holiday season, find out what level of encryption your hosting provider uses, how often server activity is logged, and what you can do to monitor server activity.