Ecommerce sites can open up a raft of avenues for fraud andhackers.(Image via iStock)
A single day doesn’t go by without hearing aboutsomeone, or some group, penetrating a website and stealing creditcard or other sensitive data from ecommerce sites.
According to a 2012 Sophos Security Threat Report, an average30,000 websites are hacked every day. As we approach the end of2015, this number has likely become even greater.
So, how do you protect your ecommerce site frombeing hacked and sensitive customer data from beingstolen?
1. Choose a secure ecommerceplatform
Development teams and companies might usuallydecide to build an ecommerce solution from the groundup.
Most of the time, this is a bad decision to takeas it entails a lot of costs and security risks. Alternatively,when building an ecommerce website, it is faster, easier and lessrisky in terms of security to use an existing ecommerce platform onwhich to base your own.
Adopting and customizing ecommerce solutions tothe needs of your own website will save your team time, money,human resources and will provide a good base of security practicesalready built-in by the ecommerce solution vendors.
2. Use a secure connection for checkout(SSL)
The internet works on the HTTP protocol fortransferring information from the user’s browser to the hostingservers. HTTP by its nature is not secure in transferring secureinformation, that’s because by default it does not implement anytype of encryption on the data being transferred.
This puts your ecommerce website users at themercy of hackers on the same network, sniffing for information thatis being sent. These could include passwords, credit card numbers,and addresses, all through what is commonly termed a'man in themiddle attack'.
A solution to this problem is to implement yourecommerce website on a more secure protocol which isHTTPS.
HTTPS implements an SSL (Secure Socket Layer)certificate that enables all communication between the user’s webbrowser and the ecommerce website server to be completelyencrypted. The encryption in communication ensures that the user’sinformation is not exposed to anyone monitoring the networktraffic.
3. Don't store sensitive userdata
Websites usually store a lot of informationabout users in their databases.
One good security practice is to not store anysensitive financial information about your users in the databaseafter they complete their purchases.
Users who wish to use the site again can simplyre-enter their financial information when they need topurchase and the site will use it for only that onetransaction, and not keep the information.
This practice will reduce the risk of stealingcredit card and bank information of users.
4. Request strong passwords from yourusers
Most of the time the website does not have a lotof control on what passwords a user chooses.
Hackers are trained to guess this type of simplepasswords through techniques known as socialengineering.
In order to tackle this problem, you canimplement additional validation rules on your sign up forms askingyour users to choose more sophisticated passwords that are harderto break. This can be done by getting them to use a combination ofupper and lower case letters, numbers, and specialcharacters.
5. Setup system alerts for suspiciousactivities
Tracking user activity is very important on anywebsite for analyzing user behavior, and securitypurposes.
Setting up tracking on specific sections anduser behaviors is especially important.
For example, your ecommerce platform should betracking anyone who goes to login or signup to your platform,looking at how frequent their trials are and where the origin oftheir IP address is.
Tracking such information will allow you todetect attackers trying to do brute force attacks on your website’sforms, such as an XSS or SQL Injection.
6. Use tracking numbers for allorders
When selling physical goods you shoulduse tracking numbers for all orders that need to beshipped to customers on your site.
It is very important to use a tracking code ornumber on all packages.
Thispractice is beneficial for combating fraud and identifytheft.
Knowingto whom, where and how the packages are being sent is an importantstep in securing and increasing user trust in your ecommercewebsite.
Thetracking of packages will allow you to better identify yourcustomers by confirming their billing and shippingaddresses.
Italso helps in preventing ‘charge-back fraud’ where a user might saythey didn’t receive an order, and then demand a refund, whenactually they did get their itemdelivered.
7. Always backup your system anddatabase
Last but definitely not least, it is an absolutenecessity for your team to invest in a backup strategy.
Backups allow you to keep copies of your datafor referring to it in case any problems occur on the main serverof your ecommerce application.
Online backups are needed for data redundancy(the replication of data as a backup), that is you can switch tothose backups automatically in case your primary server that isserving your ecommerce solution fails or is compromised.
In addition to that, having an offline backupsolution that allows you to keep a copy of all your data on yourlocal office servers is very important.
Local backups allow you to cater for disastersituations in case they happen with your hosting provider or datacenters.
Getting your ecommerce solution back up andrunning can be as simple as uploading your data to another hostingprovider in such a case, thus minimizing downtime for your usersand business.
Doyou have additional tips and practices that your own ecommercestartup follows? We’d love to hear yourthoughts.