Cyber security breaches don’t happen only to the big retailers. If you run an online business of any size, you are at risk. According to the 2015 Trustwave Global Security Report, 64 percent of industry breaches last year were eCommerce attacks. That’s especially true if you use an open source platform such as Magento, used by hackers to compromise thousands of the company’s client websites last year. So how do you protect your site and your customers’ sensitive data?
Choose a secure eCommerce platform
Allow only trusted providers that take security seriously to host your site. Use a hosted shopping cart that has completed PCI DSS (payment card industry data security standards) compliance audits, which is a must if you take credit cards. Such hosts include BigCommerce, Shopify, and 3dcart. Compliance protects a merchant against digital data security breaches. However, it’s not a one-and-done sort of thing. You – or a third-party provider – must perform checks regularly to assure that your site is not vulnerable to hacking attempts. Shopping cart hosting sites have full-time staff to patch security vulnerabilities, so you don’t have to.
Be sure your eCommerce platform can support secure transactions over Secure Sockets Layer (SSL). That means the platform will encrypt your data, so hackers cannot see the transmissions between your website’s server and the merchant or bank server. The SSL certificate also authenticates your website, telling your browser, “This website is who it claims to be,” and not a hacker posing as you.
Best of all, secure your entire site with an SSL certificate, not just the payment gateway. That way, all user data – including email addresses – will be secure.
Many browsers inform users whether a site is under SSL protection. Thus, many consumers actively look for the SSL certificate before making a purchase. Incidentally, the term “SSL” refers to an older version of the encryption protocol. The more modern protocol is TSL, or Transport Security Layer.
Many platforms also offer additional security features, such as fraud and DDoS (denial of service) protection. DDoS attacks are organized attempts to disrupt a website’s normal operation, so legitimate parties can’t get in.
Don’t Keep Your Customer’s Payment Information
You don’t want your customers’ payment information to fall into hackers’ hands. So don’t keep it around. Don’t store it on your servers or in your database.
Ideally, your systems should not even come into contact with payment information.
Your customers’ payment information should go directly from the browser to the processor, bypassing your server completely. That way, if your site is breached, no payment information can be stolen.
Don’t store passwords, either. Instead, use an authentication protocol such as OAuth. OAuth lets users grant third-party access to their resources without sharing their passwords.
Create Two-Step Authentication
For an extra level of security, consider two-step authentication. It requires two pieces of information for every new login attempt: your account password and a single-use authentication code received as a text message through your mobile device or via an authenticator app. That way, in addition to your password, a hacker would not be able to log in without access to your mobile device.
For example, if you have a WordPress ecommerce site, this plugin lets you implement Google Authenticator, so that logging into your site will require both your password and verification via your personal mobile device.
Update Your Software
Protect yourself against software vulnerabilities by keeping your operating system, web browser and computer software updated. Whenever a new patch becomes available, implement it immediately. That includes not just updates to your web server, but also your other software and plugins, such as Java, WordPress and Adobe.
If you want help scanning your website for possible vulnerabilities and malware, plenty of services will do that for you. Examples include Qualys’ Vulnerability Management solution and Symantec’s Web Security solution.
Include Browser Communications on Your SSL
As explained above, encryption is a requirement if you are transmitting confidential information. But to keep hackers out, it’s important to maintain the latest versions of SSL or TLS. According to the website How’s My SSL?, TLS 1.2 is the most modern version of the encryption protocol. How’s My SSL? tells you how secure your TLS client is.
Customers need to be confident in your ability to protect their online data. So take your responsibility seriously. Monitor your system on an ongoing basis for malicious activity or suspicious behavior. And make sure your host regularly monitors its servers for malware, viruses and other harmful software.
The alternative might be a catastrophic data breach that not only ruins your brand reputation but forces your business to close its doors.