With all of the talk in the industry about the threat of hacking, and Equifax currently experiencing one of the largest hacks to date, it’s worth taking a step back to realize how insecure your eCommerce business may really be.
Moving forward, the market is going to become more sophisticated and start putting more trust into businesses that they know will keep their information safe.
As an eCommerce store owner, you have access to a large amount of sensitive information, that’s typically stored on a computer, putting your business at risk for being hacked. Even if you’re a smaller operation, you can’t ignore the threats that are posed to your business on a daily basis.
Sticking your head in the sand and assuming that you aren’t facing threats because you’re a smaller business is the wrong approach to take, and one that could land you in major trouble should a hacker ever figure out that you’re ignoring proven security measures.
If you want to make sure your business and customers are not only safe from the threat of hackers, but force hackers to give up before they try to break your security, here are 15 different ways you can ensure your eCommerce business is secure.
This is the biggest factor that’s going to affect your store’s security.
If you are, for instance, using WooCommerce, you need to make sure that it is always updated to the latest release, that you keep WordPress updated to the latest release, and that you ensure all plugins you’re using stay updated.
Most mainstream eCommerce platforms, like Shopify, are going to have security measures in place to keep your customer’s data safe.
However, if you are using a new eCommerce platform, or one that doesn’t place a huge emphasis on security, you will want to begin migrating over to a more developed platform -- one that understands security and how to maintain a high level of security.
Outdated software is one of the biggest causes of security breaches, and hackers can utilize “footprints” that the software leaves behind to find stores that may be outdated. They can then target those stores one at a time.
Your checkout area is one of the biggest targets on your store.
Some hackers will attempt to hijack the database where your customer’s information is being stored, while others are going to attempt to intercept that data as it’s being entered into your checkout form and then transmitted to a processing server.
This plays, largely in part, to the platform that you’re hosting your eCommerce store on.
However, you can also implement security features such as encrypted SSL and secure checkouts to make sure hackers cannot intercept the information being transferred.
An SSL certificate will encrypt the information that your customer has entered before it gets transmitted so that even if a hacker is able to intercept it, they will be unable to do anything with the information they’ve collected.
If Equifax is any evidence, hackers rely on companies and businesses storing sensitive information and then letting security protocols lapse so they can take advantage of the holes to access that information for themselves.
Equifax is in the business of collecting and storing people’s sensitive information, which made them a prime target for hackers. It’s easy to say that this isn’t the first time hackers have attempted to gain access to their servers and databases. Probably not the 100th time.
For the most part, to run your business efficiently, you really do not need to store any information outside of your customer’s name, email address, home address, phone number, login, and password.
If you do collect and store that information, you need to ensure it’s being stored on a secure, encrypted database. You also need to make sure your customers know not to use the same password for your store that they use for other sensitive accounts, like their email or bank accounts.
A CVV, or credit card verification value, helps you limit the number of fraudulent transactions by requiring the customer to have their credit card in their physical possession, in order to read the CVV number from the back of the card.
While this strategy won’t help you completely eliminate credit card fraud in your store, you can dramatically reduce the possibilities.
Many hackers aren’t going to have the physical card in front of them, so they will be unable to enter the proper CVV to move forward with the transaction. If they don’t have the CVV number, they’re not going to be able to commit credit card fraud.
Again, this won’t stop all fraud, but it can reduce the chances you have chargebacks and fraudulent charges in your store. If the hacker is able to get the CVV from the credit card they’re using to make fraudulent purchases, they can still move forward.
Sometimes, hackers don’t even need to break your security because of software glitches, keyloggers, or any other software-focused means.
Sometimes, all it takes is them accessing a weak password and using it to take over any databases where you have sensitive information stored.
That’s why you need to require both your customers, and your staff to use secure passwords. This is especially true if your staff members have access to the areas where you are storing sensitive information, if you’re storing it.
On top of making sure your customers know not to use the same password for their store login that they use for their email accounts or banking accounts, you also want to make sure you are requiring them to use secure password.
A truly secure password combines a mixture of uppercase and lowercase letters, numbers, and symbols. These are nearly impossible to “brute force” attack, and cannot be guessed.
If your store is being targeted by hackers, you can use the information they’re giving you to help make sure your store is secure.
The best way to make sure you’re staying ahead of the hackers is to figure out what they’re doing now, and actively work to make sure those parts of your store have been secured.
However, keeping up with the hackers could require you to obtain a position in the “dark underbelly of the internet”, where most of the conversations about the latest hacks and exploits are taking place.
Or, you can start monitoring the suspicious activity on your store.
If a hacker has devoted energy to attack one part of your store, you can safely assume that there is a hack or exploit out that focus on that part of eCommerce stores. For instance, if they’re attacking your login screen, you know that it’s time to ensure your login screen is secure.
To get this level of awareness, though, you have to actively monitor what’s happening to your store, and then understand what you need to do to increase your security in those areas.
Layered security refers to having different layers that hackers will need to get through before they’re actually able to access sensitive information, if you’re storing it.
To layer your security, you’re first going to want to make sure that you have a firewall in place, and that you’re using an SSL certificate to encrypt the transactions being made through your server.
Then, you’ll want to add other layers into the store based on the applications you’re using. For instance, securing your contact form, login forms, and search queries, and keeping that information separate from your customer information can make SQL attacks pointless.
SQL attacks will inject information into your database that lets hackers gain access to it, and if you’re storing customer information in the same database as the information collected from forms on the front-end of your store, you could be creating a security risk.
Employees can be one of the weakest points in your security. It’s human nature to relax, and not think about parts of the business that aren’t actually in their job description.
Security, in this instance, is one of the first aspects to get ignored, with your employees assuming someone else has it taken care of.
To give you an example, your employees could be collecting sensitive information from your customers during chat sessions or in an email log, and not doing anything with the information once the chat session has ended.
You need to ensure that your employees are well trained (and their training remains up to date) to ensure they are not causing holes in your security policies, and potentially putting your customer’s information at risk.
There should be written policies and documentation in place, and your employees should be aware of the laws and how they govern the handling of sensitive information.
eCommerce security shouldn’t only be focused on keeping hackers away from your customer’s information.
You also need to make sure hackers cannot use stolen credit cards to place orders on your store, and that customers are not able to submit fraud purchases for purchases that they have actually made.
Chargebacks and fraud claims happen far more often than they should. A large number of hackers are responsible for most of them, but some come from customers that have decided they no longer want to pay for products they have purchased.
While keeping possession of the products, they will file a chargeback with their bank or financial institution, or claim there was fraudulent activity on their account, leaving you holding the bag.
To combat this problem, make sure that you’re using tracking numbers for the order and the shipping details. You also want to make sure you’re tracking IP addresses, locations where the orders were placed, and other information you can use to verify the charges were legitimate.
Even if you’re using a mainstream eCommerce platform, you can’t always sit back and relax, assuming that they have your security taken care of.
To do this, you’re going to need to make sure you have real-time analytics, so you can determine where traffic is coming from, and how that traffic is affecting your bandwidth.
If you notice that you have a large amount of traffic coming from a single place, you can safely assume it’s a hacker. Tools like Clicky and Woopra can send you alerts whenever they detect suspicious activity, based on how users are interacting with your store.
You’ll also need to make sure that whoever is hosting your eCommerce store is also monitoring the activity. If they notice that there is suspicious activity, or find that there have been trojans and malware installed, they should do what’s necessary to remove the threats without your intervention.
Performing PCI scans on your store and servers every 3-4 months can help you lessen the chances of your store being vulnerable to hackers. PCI scans will help you figure out which areas are currently vulnerable without you having to stay ahead of the hacking industry.
This is especially true if you are hosting the store yourself, using software such as Prestashop, Drupal, or Magento. These platforms require you to take care of security on your own, but will typically release updates to the software as they identify new threats.
The few hours that you spend updating and securing your software, and auditing what the PCI scan is showing you, can save you huge in the long-term. Remember, the easiest targets are stores that aren’t staying up to date with software and security updates.
It’s already been said, but keeping your systems and applications updated is critical to maintaining your security. Patching your systems, literally, the day that a new patch is released is how you keep your store secure.
Take a step back and think about it for a second.
If you’re hosting your store and are using Magento, and the Magento development team releases a notice that they have patched a new security vulnerability, it’s safe to say that at least a few hackers knew about the vulnerability.
However, after Magento announces it to the world? Substantially more hackers know, and can fire up their bots and scripts to start tracking down Magento stores that are still running the flawed version of the software.
When developers release a notice that there is a new update, especially those addressing security faults, take the time to update your systems. You’re officially a target once they release the notice.
DDoS, or distributed denial of service attacks aren’t necessarily a “hack”, in the general sense of the word, but they are a method that hackers can use to completely disable your store and take it offline.
These types of attacks are happening far more often than they used to, and the level of sophistication, along with the types of targets that are being attacked has increased, too.
The best way to combat these attacks is to host your store on the cloud, and use a service that can migrate your store to another server if they detect a DDoS attack happening.
It’s unfortunate, but fraud does happen. For a merchant, the best thing you can do is make sure that you’re not left holding the bag whenever fraudulent charges come through your store.
More, and more credit card processing companies are offering new services to help you mitigate your fraud risk, and ensure that you are keeping more of the money in your pocket.
They can help you eliminate fraud before it happens, and cover your end when you have to validate charges that were legitimately made by consumers.
It’s not enough to simply back up your store, database, emails, and customer files. You also need to make sure you have a recovery strategy in place in the event something does happen and you lose it all.
There could be gaps in your backup strategy that you’ll need to close. For instance, if you are storing the backups onsite, you could experience a power outage that takes down your backup servers, too.
To avoid this, make sure that your website is properly secured, and that you are backing up your files regularly. Then, you want to make sure that those files are hosted offsite and that you can easily restore your business if something catastrophic happens.
As Equifax has shown, no business is really so secure that they cannot be targeted by hackers.
As an eCommerce store owner, your business could be an even bigger target because most hackers assume that small to medium business owners don’t give security the attention that it really deserves.
That means you need to take heed, and pay attention to the 15 different areas that we’ve broken down for you here. Making sure your eCommerce store is secure may take some time up front, but the time you spend now could save you a ton of time and money down the road.
Don’t let your customers have to deal with identity theft, like so many Equifax customers are currently having to deal with right now. Keeping yourself out of the same position is easy to do, when you know which areas in your business need to be addressed.