Let's Talk !
Here's where we're going if you want to jump ahead:
Every business should put in extra effort to make their sites, information stores, and data as secure as possible. This is especially important for eCommerce brands dealing with a wealth of customer information and transaction data.
Creating the most secure shopping experience isn't a one-off sweep once your store goes live. Security should have a regular maintenance and inspection routine, with additional inspections around platform patches, plugin upgrades, and, ideally, any changes to the code—no matter how small.
The cost of missing even a seemingly minor issue can be significant.
Data breaches aren't limited to major brands. According to Trustwave, 90% of breaches target and impact small merchants.
Large brands that get hit can see costs as high as $4 million per breach. Small business owners aren't hit quite so hard; on average, their cost is $37,000 for a data breach.
Those fees begin to stack up as they come in from multiple angles:
PCI compliance fees
Liability for fraud charges
POS and payment processing improvements
Card replacement and account service costs from card issuers
Resources involved in notifying customers
Mandatory review of code and forensic evaluation to mitigate further risk
That last examination alone can cost anywhere from $20k to $50k.
Then there are the non-monetary costs from a breach, including lost trust, customers who terminate their relationship, and the impact on your brand's reputation.
Proactively addressing some key security issues is the only way to mitigate risk, protect customer data, and reduce the potential for losses.
According to a survey from Harris Interactive, "59% of brands admit to reusing passwords because it is too hard to remember them." In addition, 54% of Americans agree that their password habits are poor and need to change.
Never reuse the same passwords across your internal systems, especially where there are public-facing logins and, especially, not for administrative accounts.
It's best to generate a unique password for each of your systems, and then set up a schedule for updating passwords.
You can also use a password manager to generate passwords from an encrypted vault where your sites are only accessed locally and only with a master password. This ensures a unique password is generated for every site.
The old approach to encryption for eCommerce was to use SSL encryption for the checkout experience. Changes have already been made to promote higher security in websites; a recent update from Chrome aims to make browsing more secure for its users.
Customers will be served a security warning on any site/page that attempts to gather customer data, such as with a form, as long as those pages are not encrypted.
Platforms like Shopify are now using SSL site-wide, across every one of its customer sites and every page within.
SaaS platforms for eCommerce and other business verticals are widely adopting and recommending the use of two-factor authentication to improve security.
With two-factor authentication, even with a compromised password you'll be required to provide additional information and login confirmation via another channel, such as email, SMS, or even phone.
Set this up in your eCommerce platform like Shopify, on your social accounts, and on any other business app you may be using—especially if it's installed on a mobile device.
Depending on the platform you use, you may want to beef up security with additional plugins. While WooCommerce and other platforms like Magento provide easy-setup eCommerce, they don't always offer the best native security.
If you're running a CMS-based platform like WordPress/WooCommerce, look for top-recommended security plugins that fill the gaps where native security was thin.
Platforms like Shopify and BigCommerce tend to be more secure, but there are still security plugins you can use to reinforce that security.
While customer security is somewhat out of your control in regards to how they protect themselves, you can take extra steps to help them.
Two-factor authentication can be offered for customers to keep their accounts secure. You should also consider requiring stricter password parameters, such as requiring a number, a capital letter, and a symbol within their password.
Last, brands often integrate with trusted social platforms to allow customers faster and more convenient access. If you integrate social logins in this manner, you're leveraging the security of some major incumbent brands.
It can be incredibly frustrating to suffer a data breach where additional damage is also done to your digital infrastructure.
In some cases, hackers may even maliciously destroy or wipe data. By maintaining redundant backups on a daily basis, you dramatically reduce the damage associated with a hacker and any subsequent data loss. Once the breach has been addressed, you can restore from your most recent backup and focus on getting back to business while further improving security.
In order to be PCI-compliant, most modern eCommerce platforms don't—and cannot—store passwords. Payments are processed through an external trusted payment processor. Some brands, however, offer options for offline credit processing, where card and consumer data get stored.
Note the example plugin above that allows credit card information to be stored and sent via email. This is an unsafe practice you should absolutely avoid.
Storing customer and credit card data exposes you and your customer's information, with subsequent great risk. Simply put, never store customer credit card data in any form.
You should pursue Payment Card Industry Data Security Standard accreditation (PCI DSS). In order to get this accreditation, your site must complete an audit and be found to follow a number of standards, including:
Maintaining a secure network with IT professionals
Protecting cardholder data at every touchpoint, ensuring it's not stored
Maintaining a vulnerability management program
Designating superior measures for access control
Performing routine network inspections and tests
Having and maintaining an information security policy
The more fraud detection tools you have available, the less likely you are to have chargebacks or have customers taken advantage of if their personal information is stolen and attempts to purchase are made with your store.
Enable an address verification system (AVS), and require the card verification value (CVV) for credit card transactions to reduce fraudulent charges. You can further tighten security, here, by requiring a partial or complete address and zip code match during checkout.
If your payment processor allows for it, you should configure alerts using a number of variables to trigger the alert. These could include:
Orders placed from foreign IP addresses
Mismatched billing and customer data on the card
Multiple orders placed on the same card
Multiple orders from the same person using different cards
Conflicting shipping and billing information
Mismatch on customer name vs. cardholder name
Here's an example of fraud indicators from Shopify:
With alerts, you can get notifications when these events occur and even set up payment processing rules to halt the charge and suspend the order until it's manually approved.
Proactive security inspections help you catch issues before they cost you customers and revenue. Regardless of how reputable your eCommerce platform host is, you should perform regular quarterly PCI scans. These scans identify risks and vulnerabilities that could leave your store open to hacks and the injection of malware and viruses. Last, as part of your routine scans, check for updates and patches for your platform—pay special attention to security enhancements.
A few extra hours adjusting your code with a developer today could save you tens of thousands of dollars down the road.
Maintaining a secure site doesn't entail a significant amount of work unless you identify a major risk or potential threat. For the most part, the proactive steps mentioned in this article require little more than routine maintenance and monitoring to ensure your business, as well as your customers, stay protected.
Ronald Dod is the CMO and Co-founder at Visiture.com, an eCommerce-focused marketing agency.
Chetu does not affect the opinion of this article. Any mention of a specific software, company or individual does not constitute an endorsement from either party unless otherwise specified. This blog should not be construed as legal advice.
Founded in 2000, Chetu is a global software development service provider, offering solutions and support services. Chetu's specialized technology and industry experts serve startups, SMBs, and Fortune 500 companies with an unparalleled software delivery model suited to the needs of the client. Chetu's one-stop-shop model spans the entire software technology spectrum. Headquartered in Plantation, Florida, Chetu has fourteen locations throughout the U.S. and abroad.