Selling Safely Online: Ecommerce Security Essentials

Keeping cyber thieves at bay is hard work. They’re focused, persistent, and worst of all, they’re pretty damn clever.

Sony, PayPal and eBay have all been targeted by cyber criminals recently, and they’re spending millions on defending themselves. Small independent retailers are exposed to many of the same threats as these huge international businesses every day, but certainly don’t have the expertise and resources that the big boys have at their disposal. How then, are smaller stores supposed to put up a fight?

The first thing to remember is the most important: Resistance is NOT futile.

TheGenieLab is here to help you build up your barricades, dig in and weather the cyber onslaught. Pay attention to these tips – and you’ll be able to put in an effort you can be proud of.

(“Home Alone House” by Anarchosyn under CC BY-SA 2.0)

Become PCI DSS Compliant

The Payment Card Industry Data Security Standard (PCI DSS) is an information security benchmark for organizations that handle credit card and debit card information. It was created to increase controls around credit card data to reduce fraud, and to protect both businesses and their customers.

If your ecommerce store accepts payments from Visa, MasterCard, American Express or Discover, your software and hosting must be PCI compliant.

There are six categories of PCI standards that must be met in order for a merchant to be deemed compliant:

• Maintain a secure network

• Protect cardholder data

• Maintain a vulnerability management program

• Regularly monitor and test networks

• Implement strong access control measures

• Maintain an information security policy

Adhering to PCI DSS is not something that you can just do – it’s an ongoing process that can be extremely complex. For more information on how to get started with becoming PCI DSS compliant, download the PCI Security Standards Council’s guide.

Use SSL to Safeguard the Transmission of Cardholder Data

SSL, or Secure Sockets Layer, is an encryption technology that creates an encrypted connection between your server and your customer’s browser.This means that only your server can read the information their browser sends through.

SSL certificates are easy to get, but require your business to go through a vetting process to ensure that you are who you say you are.

Once you’ve got your certificate, your customers will be able to see that you’re protected, and Google will also reward you with improved rankings on search result pages.

Don’t Store Sensitive Data

PCI standards strictly forbid the storage of cardholder data unless it’s necessary to meet the needs of the business, so limit data storage and retention time.

The data that you do store should be encrypted, and CVV2 numbers should not be stored under any circumstances.

Get rid of any old records from your database at least quarterly. Remember, if you have nothing to steal, you won’t be robbed.

Use an Address and Card Verification System

Using an address verification system (AVS) and requesting the card verification value (CVV2) will help you reduce the risk of accepting fraudulent charges.

An AVS works by verifying a cardholder’s billing address with the card issuer, something that if the card is lost or stolen, an illegitimate user shouldn’t know.

Similarly, requesting the CVV2 code is a way of ensuring that the purchaser has the physical card in their hand.

One of the fastest and easiest risk management steps you can take, this one is pretty much a no-brainer. Merchants that use CVV2 are also protected from fraud related chargebacks.

Use a DDoS Protection and Mitigation Service

Distributed Denial of Service attacks are increasing in frequency (just a few days ago the hacker group known as Lizard Squad targeted Xbox Live), so ecommerce sites should think about looking to cloud-based DDoS protection.

Whilst small ecommerce stores are unlikely to be targeted by this type of threat, it doesn’t hurt to future-proof yourself and protect your business from lost revenue and damage to your reputation.

Cloud-based DDoS will monitor customer traffic in order to identify potential threats, then redirect malicious traffic should your site be targeted.

TheGenieLab

If all of this sounds a little overwhelming, then an alternative to taking on cyber thieves solo is putting your ecommerce site on a reliable platform such as Shopify.

Shopify is level-1 PCI compliant, and all online stores hosted on Shopify include an SSL certificate to keep your customer and business data secure. Your business information, including products, customers, orders and inventory, will be backed up in their secure data centers every day.

Using an all-in-one ecommerce solution allows you to turn the security side of your business over to the professionals. You can leave them to worry about hackers and compliance while you get on with your core business functions.

TheGenieLab provide specialist web development services with a focus on ecommerce. We work on a wide range of platforms such as Shopify and Magento in order to deliver high quality, excellent value products that will help your business succeed.

We’d love to share our wide range of expertise with you, so get in touch today, we can’t wait to get started!