Practical Ecommerce

Credit Card Theft: Steps to Protect You and Your Customers

Having even one credit card number stolen from your site can tarnish your reputation and impact sales for years. It is important to be aware of potential security flaws and how to mitigate them to protect yourself.

“A breach of cardholder data can be big money in fines and remediation efforts. If there isn’t a need to keep this data, it’s suggested that it’s not kept at all,” suggests John Carr, owner of Bluebird Consulting, a Detroit based security firm. “For many ecommerce sites, the best option is simply to work with a third-party processor that will not only process credit cards, but also be the payment site [to store the data] as well.”

Stylized Photo of a Credit Card

Improper Storage

Many ecommerce sites store customer data and credit card numbers well after they are needed. Even with a secure website, credit card numbers could be stolen by any person (employees, contractors, cleaning people and building support, for example) who has access to your servers. Hold data only long enough to process the transaction (or as long as any return/exchange period) and then automatically purge it from your database. While the customer information is in the database, make sure it’s properly encrypted and secured. Only those with a need to see the data should have access to it.

Insecure Transactions

Without secure sockets layer protocol (SSL), traffic between your site and your customer’s computer is sent in clear-text, which is easily readable by thieves. Information such as credit card numbers, card verification codes, expiration dates, addresses, and names can be intercepted by a thief. This information is especially easily to grab in places with free wireless access, such as coffee shops and airports. Using SSL for all transactions on your site will encrypt information so it appears to be gibberish to potential thieves.

SQL Injection Attacks

By trying to add or change the URLs that are used on various pages of your ecommerce site, a malicious user will try to pull credit card information (or other personal information) out of a website’s backend database. To protect against this type of attack, work closely with your software vendor to obtain security updates. For custom-built applications, free tools such as Wikto or SQLMap can aid with detecting if your database application is vulnerable. Generally, all SQL statements in code should be “escaped out” or written in such a way to ignore unexpected input. Hiding variables used to access the database and using mod-rewrite for your URLs are good practices as well.

Software Vulnerabilities

Just like any other type of software, ecommerce software is subject to programmer errors. These errors could allow a thief to get access to credit card numbers by entering bad information into forms, for example. Staying current with security updates from your software vendor is key. For custom software, free tools also exist to detect vulnerabilities. These tools include Wikto and Nessus, and they can help identify a host of application vulnerabilities.


A phishing email looks like a real email from your company instructing people to click on a link to update their personal information. The link actually goes to a fake version where a thief can collect credit card numbers and other information. Many of these emails look so real that even experienced Internet users will be fooled by them. This is a difficult problem to solve entirely, but make sure your customers know that you will never solicit their information via email. For additional security, Extended Validation SSL certificates allow customers to confirm that the site they are visiting is actually yours by showing an extra validation in the address bar of their browser.

Poor Server Security

Servers that are not updated and monitored regularly can be open to security breaches. Thieves run automated worldwide scans across the entire Internet looking for servers that can be breached. Make sure your hosting vendor has proper administrative policies and service level agreements to ensure the security of your server. If you’re hosting your own system, make sure whoever is in charge of the server is paying attention to security alerts and releases for the operating system and any applications.


Backups are imperative for restoring websites from crashes, but it is often forgotten that any data that is stored in your live website is also on your backups. Sometimes backups also reside on the same server as your live site. If a thief gains access to your server, they may steal credit card numbers from your backup instead of your live site (it is usually less obvious). Protect backups of customer data through encryption and storage on a separate secured system.

Protect Yourself

Being aware of potential security issues is your best defense. If you don’t have time for monitoring, consider having a security consultant check your site occasionally.

Sarah Worsham

Bio   •   RSS Feed


Sign up for our email newsletter

  1. Joe November 20, 2008 Reply

    This is a good checklist. I have a feeling a lot of businesses are not at all aware of how vulnerable they are to attack, either via phishing scams (which are impossible to safeguard against entirely) or hacking — very recently as large a retail company as Best Buy was hacked by a wayward group of fraudsters. And if I had to boil it down I’d say that educating your customers (so they know not to play into phishing schemes) and constantly updating your security software are the two more crucial things.

    Also — Extended validation SSL, which you mention, is an effective security weapon not only because of the visible indicators of safety, but because the certs are so much more difficult for companies to obtain (the review process is far more intense than that of an ordinary SSL). So the idea is that a company worthy of EV SSL (identifiable by the green-highlighted URL bar) is also likely worthy of your trust, and your credit card information. Sites without it might not be. But, again, this system really only works if it’s embraced by both companies and customers who understand it — I think it’s become widespread enough now, though, that it will be interesting to see how this year’s holiday shopping season turns out.

  2. Sarah Worsham November 21, 2008 Reply

    Joe, Thanks for your comments. I think one of the biggest issues with Extended validation SSL is that customers are not really aware of it at all. There are some real benefits if customers know a company has gone through that more intensive review process. So it will be interesting to see how companies leverage it for both for security and marketing purposes.

  3. smode November 25, 2008 Reply

    Credit card data protection is a big concern for ecommerce sites and organizations worldwide. And Sarah, you’re right—having just one credit card number stolen can make big ripples. But there’s been a breakthrough in this area recently – a cryptographic technology called Format Preserving Encryption. It provides data-level encryption without changing the format of the data, which has traditionally been a big challenge. This brings tremendous benefits—one of which is that it eliminates the need to make database and application changes, which lowers cost and implementation time. Learn more at

  4. Sarah Worsham November 25, 2008 Reply

    smode, FPE sounds like a very interesting technology, but the link doesn’t say much about how its implemented.

    Doing a bit of research, Network World had an article ( which has a little more info. It looks like it can be implemented as a tool kit on the software layer of an application (c, c++, java), so that would require a change from either shopping cart vendors or in the code of custom carts. The pricing for the tool kit as of March 2008 was $35,000, which puts it out of reach for most online business owners who may have a custom shopping cart. I’d be interested to hear if any shopping cart vendors are using this.

    For online stores which are using a vendor for their shopping cart, they are paying the vendor to worry about how the data is encrypted. Some of the difficulties with the database that FPE solves would be helpful to the vendor, but not necessarily to the online store owner.