E-commerce is built on trust. Consider the big daddy of e-commerce, Amazon – roughly 244 million active customers around the world trust the retail giant with their credit card details.
That’s a lot of data which would be very valuable to hackers, fraudsters and criminals, and if it ever fell into the wrong hands, all that trust and goodwill could go up in smoke.
The potential damage of a data breach to your e-commerce businesses cannot be understated. As well as destroying the trust you have with your existing buyers, it can leave a sour taste for new customers before they’ve even walked in the door. (That’s not to mention the legal ramifications…)
People don’t want to buy from retailers who don’t appear to take internet security seriously. Fortunately, there are plenty of measures you can take to protect your business. Here are a few tips.
Don’t keep confidential customer details
Don’t store card/bank details (or any other sensitive data) for any longer than you need to. It might be a slight annoyance for customers to input their details each time they order, but it means that any hackers who do get into your site’s back end will leave with nothing – and there’s no incentive for them to try again in the future.
In any case, the Data Protection Act and PCI (Payment Card Industry) standards essentially prohibit the long-term storage of confidential customer data, so it’s best not to store it if you want to remain legally compliant.
Of course, all sensitive information which is in your possession should be encrypted – which brings us on to the next tip…
Use a secure connection for checkout transactions
When it comes to customer payments, make sure you have an SSL encrypted connection. This will prevent hackers from spying on the transaction, or pretending to be you (aka phishing) in order to steal your customers’ details.
Acquiring an SSL certificate is essential; it tells the customer and the browser they’re using that your site has been validated as the real deal by a reliable, authoritative third party.
You’ll need to pay a certificate authority (such as DigiCert or GoDaddy) to be issued with an SSL certificate – however, the Let’s Encrypt organisation (founded by Mozilla and the Electronic Frontier Foundation among others) plans on providing free certificates when it launches later this year.
Verify card payments
Defending against hacking attacks is important, but if you want to maintain your reputation as a trustworthy, dependable web retailer, you also have to prevent fraudulent transactions.
Ensure your checkout service has a reliable payment gateway which uses AVS (address verification system). AVS will check the billing address of the credit card provided by the user with the address on file to ensure it matches up with the customer’s billing address.
Asking for the customer’s CVC (card verification code – the three-digit number on the back of the card) also helps to prevent fraudsters from using someone else’s card to buy from you. By law, this code cannot be stored by merchants, so only someone who has seen the card in person (i.e. the owner) can complete the purchase.
Avoid or update obsolete software
Make sure all the systems and software you use on your e-commerce site are consistently updated to their newest versions. It might seem like a hassle, but it’ll help to keep you protected from any vulnerabilities which have been discovered by the developer.
You should beware of outdated and legacy systems, as they often don’t compare to modern web standards. Java and Flash, for example, have become notorious for their security flaws; you’re better off using HTML5, which offers similar functionality as well as better security and (in the case of Flash) more compatibility with mobile devices.
In particular, avoid software which is no longer supported by its developer, as any holes which are discovered in the future will probably never be fixed and will remain in the software forever.
Analyse and test
If your e-commerce business has been running for a long time and hasn’t suffered any issues, you might be fooled into thinking you’re safe from attacks. The truth is, new viruses and vulnerabilities are being discovered all the time, and a site that was secure six months ago might be completely defenceless today.
Carry out regularly scheduled audits to assess the security of your site. Scan all your pages and links to ensure there are no viruses or malware hiding within.
You might want to consider hiring an ethical hacker who can perform penetration testing. Put simply, they’ll try to break into your website and report any hidden vulnerabilities they discover back to you so they can be patched up.
Protect your internal computers
Don’t assume that every hacker will try to get in through your public-facing website. Your office network is also a target, and every device connected to your network is a potential access point if it’s not suitably protected.
Make sure all the computers you use within your organisation have up-to-date firewall and anti-virus software, and that all important files and folders on them are locked behind a password.
It’s also a good idea to secure all your network equipment away from prying eyes, especially if your office gets a lot of visitors. If a criminal can just waltz in, plug their laptop into an ethernet port and steal all the data off your system, you’re in trouble.
Keep an eye out for suspicious behaviour
By the time you’ve discovered a hack or a fraudulent transaction, it’s often too late to do anything about it. However, there are usually some tell-tale signs which give the game away, and by spotting them early, you can minimise or even outright stop an attack in progress.
Real-time analytics allows you to track the activity of the customers on your site, helping to flag up any unusual activity. Look out for things such as sudden and unexpected surges or dips in traffic, or multiple orders and login attempts from the same location.
You can make monitoring easier by setting up system alerts for certain conditions – for example, if multiple orders are made using the same name but different payment details. There’s a variety of ways you can do this, but your analytics software should provide options to set up your own alert notifications.
Educate your team
Sometimes the chink in your armour isn’t a stray line of code or an unsecured connection, but the carelessness of one of your employees.
Whether it’s an innocent mistake (such as sharing data with an external contractor or business partner without appropriate clearance) or something more malicious (like siphoning off customer records and selling them online), the actions of one person can end up seriously harming your company’s reputation.
Train your team on the importance of good cyber-security practice, and the precautions they can take to prevent breaches (such as using complex login passwords). You should also draw up internal policies and protocols for your employees to follow – and don’t be afraid to reprimand those who refuse to stick to them.
Back up regularly
Like updating your software and systems, backing up your site data regularly seems like a chore, but never underestimate the importance of doing so.
If you get vandalised by hackers or infected with a virus, having a clean copy to roll back to can save you from weeks or months of site rebuilds and business downtime.
Your service provider should be regularly backing up your site for you – if they’re not, ask them why not – but it pays to save some copies yourself too. Storing them with a cloud service is a good idea, as you don’t have to be in the office to access your backups, and you can even get plugins which will send regular backups straight to Dropbox.