How to Secure E-Commerce

Posted by & filed under List Posts.

Digital attacks are, of course, of many different approaches and scopes; and the value of data that is stolen also is across a broad spectrum. While that case-by-case diversity exists, there is a commonality of being at risk across all businesses. Incredibly, a report last year revealed that half of small businesses in the United States – 14 million of them –  had been hacked in the previous 12 months. Large enterprises are not off the hook either, though. Figures from the Identity Theft Resource Center (ITRC), highlighted by Internet law firm Revision Legal, reveal that 780 data breaches of large organizations occurred in 2015, with a total of 177.9 million records of individuals compromised.


This trend has continued through 2017 and into 2018. Recent high-profile hacks demonstrate that security should still be a top priority for organizations that are transferring, processing, or storing key information. Here are just a few of the compromises of large entities and mass hacking events of 2017:


  • The Big Asian Leak
  • DC Police Department
  • FunPlus
  • Hitachi Payment Services
  • Dun & Bradstreet
  • R2Games
  • WannaCry Ransomware
  • 8Track
  • Reliance Jio
  • HBO
  • Misconfigured Spambot
  • Equifax


Given the general threat to your data posed by all this cybercriminal activity, it is necessary to be proactive in setting up e-commerce defenses. Here are a few simple steps you can take to improve your security.


Choose secure hosting.


In the top slot for WPblog related to security is a matter close to our own heart: the choice of a strong hosting partner. You want a server with great security protections, as well as a regular backup process so that you can easily recover from disasters such as hacks. You want both incredibly high uptime and support that is accessible 24/7.


WPblog suggests a managed cloud platform; the people who are managing the platform will be able to handle many aspects of security. Another key element is to select a host that has had its infrastructure audited to verify its compliance with the service-control standards from the American Institute of Certified Public Accountants (AICPA): Statement on Standards for Attestation Engagements No. 16 / 18 (SSAE 16 / 18).


Automate your OS updates.


Cybercriminals exploit mistakes that are made by many people; one of the biggest ones made by SMBs is to fail to update operating systems. For example, ransomware called WannaCry spread rampantly in May 2017 by invading sites that had not yet updated to a new release of Windows.


The solution to this issue is very simple: automatically update your OS on each device and use a high-quality hosting service that will never miss something as essential as operating system patching. As Fit Small Business points out, “Even the best antivirus and firewall protection can’t protect an outdated operating system.”


Pick a secure e-commerce platform.


Your e-commerce platform should be highly secure as well. Security is a huge point of focus for serious e-commerce software companies such as Magento. Again, a key issue is whether or not your system is updated to the latest version; in that sense, one of the key benefits of using a strong managed e-commerce hosting plan is that everything is updated on your behalf and monitored around-the-clock.


Use HTTPS protocol.


It may sound basic, but you must use secure sockets layer (SSL) certificates on your site. These certificates are pieces of software that produce the Hypertext Transfer Protocol Secure (HTTPS) protocol; you can get them directly from vendors or from hosting companies. Once you purchase and install a certificate, simply change your settings so that the https and lock symbol populate within browsers.


This protocol creates a secure connection so that no one can steal information while it is in transit from the customer to you or vice versa. There is an additional benefit of SSL certificates beyond data protection; they also will give you a better ranking within the search engines.


Finally, you may want to consider an extended validation (EV) version of an SSL certificate, which will require a longer process to attain but colors your address bar green. (See PayPal for an example of EV; an explanation for why it is important from the Certificate Authority / Browser Forum, or CA/B Forum, the nonprofit association of leading industry authorities that determines the parameters for these technologies; and (for your site) the GeoTrust SSL True BusinessID with EV SSL certificate here.


Avoid storage of sensitive information.


Do not let personally identifiable information (PII) or other key data stay within your infrastructure or that of your hosting service (via your server).


This lesson, reinforced by the Equifax breach, is pivotal for defending against cybercrime because the best target for a hacker – their path of least resistance to a treasure trove of valuable data – is a firm that has sensitive information and then does not properly update all its systems (thus providing a security loophole through which the hacker can potentially view and/or steal said data).


Think, after all, about how Equifax looked to those interested in getting their hands on consumers’ most important contact information and other details. It would be naïve to think that cybercriminals have not tried to intrude onto the credit bureau’s online turf in the past, notes Brand Builders, joking (but surely not overestimating) that it was “[p]robably not the 100th time” that Equifax had been targeted.


The only pieces of data that are usually important and responsible for a company to have on hand are verification and contact details: username, password, full name, phone number, email address, and mailing address. For storage of that type of information, encryption and other security measures should be introduced. It is also key to general security that your users know their passwords should be unique; otherwise, the hacker has the potential to get into the account with you once they are able to get into the service that shares the same password.


Prioritize risk assessment.


By analyzing the various risks to your organization and performing vulnerability scans at regular intervals, you can be better prepared for a full range of strategies and angles that might be utilized to compromise your site. Your site should be addressed, as should your network.


Pay attention to PCI.


The Payment Card Industry Security Standards Council develops the PCI Data Security Standard (PCI DSS) and related standards. It is a body whose sole purpose is to safeguard cardholder data; the members of the PCI Council are representatives of the major credit card brands (Visa, MasterCard, Discover, JCB, and American Express). The Council is a nonprofit organization; the shared concern of credit card companies in not having cardholder data stolen or for money to flow to hackers rather than merchants gives their standards and perspective a credibility that few sources have.


While PCI DSS (often shortened informally to just PCI) is an annoyance for companies that do not want to be guided by external rules, it should be a central standard. It places stronger controls on systems, via processes and technologies, to better ward off any possible cybercriminal attempts to access the data. Your chance of experiencing an account data compromise (ADC) will be significantly reduced when you are able to meet all the specifications of the PCI Council.


Applying the above steps


No one wants to experience a data breach. Unfortunately, many organizations do. As is evident above, when you look for a web hosting service, it is key to be certain that security is prioritized.


At Total Server Solutions, we operate servers in a fully SSAE-16 and PCI-DSS compliant data center. See our e-commerce plans.