Hacking in e-commerce: How to protect your e-commerce site against hacking and fraud
Online fraud is a problem.
Not only to online businesses that lose revenue due to mean-scheming hackers and fraudsters every single day (an estimated 6.7 billion US dollars in 2016), but also to consumers globally that risk losing their payment card details, social security numbers, and other sensitive data. Today, security must be a top priority to e-commerce sites.
As a webshop owner, you might be familiar with the PCI DSS (Payment Card Industry Data Security Standard) and the importance of your business staying compliant.
Even though the PCI DSS is great for securing the protection of card data, there is still a lot more you can do to protect your e-commerce site from hackers and fraudsters
We’ve assembled a list of things you can (and should) do to protect your online business and keep your customers safe.
1. Maintain your PCI compliance
This goes without saying. PCI DSS exists for a reason: To protect businesses and consumers against fraud. Always make sure you are PCI compliant – if you have any doubts regarding PCI DSS, please don’t hesitate to contact us here.
2. Don’t collect or store sensitive data
Just to be clear: Payment card numbers, expiry dates etc. is confidential information, and you are not allowed to collect or store this information. That’s what you pay your payment provider to do.
Storing or collecting payment card details is against the PCI standard. You don’t want to break their rules or infringe on their standard as they might charge you heavy fees for doing so. I’m talking business ruining fees. Don’t go there.
Moreover, if you have nothing to steal, you’re less attractive to hackers. Storing sensitive data on your customers might just be a temptation that fraudsters can’t resist. So do yourself and your customers a favor and don’t run that risk.
3. Make sure your e-commerce platform is updated
Volusion, NitroSell, Shopgate - whatever platform you choose, make sure to keep it updated. Within a day after new versions are released, you should patch your system. Outdated software is one of the main points of attack for hackers and the like. Make sure you don’t make it easy for them.
4. Demand strong passwords
If it’s possible for your users to create an account on your site (and you should, as there’s a number of advantages to this if you do it right), you should set up requirements for their passwords.
Remember, passwords should:
contain at least 8 characters
consist of letters and number
consist of upper and lower case letters
One trick to ensure all of this, is to use passphrases rather than passwords. It’s harder to crack a phrase such as ‘The cat sat on the fl00r, smiling!’ than a single word.
Also, we have to touch upon the common advice to change your passphrases often. Now, science is not with you on this one. In fact, evidence suggests that changing passwords frequently does not improve security.
Instead of changing passwords often, demand strong passphrases to start with.
5. Set up an alert system for suspicious behavior
This can be achieved in a million different ways. How you do it, is up to you.
Most ePSP’s will have anti-fraud monitoring services, and even though the service comes at a price, ask yourself this: Is security really where you should economize?
Alternatively, you can manually scan all your orders looking for suspicious behavior. And if you’re just starting up your business, this might be your choice.
If so, look for these indicators:
Does the delivery address match the IP address?
Does the delivery address match the billing address?
Does the phone number match the delivery address?
Is the payment card issued in the same country as the delivery address?
Are there multiple orders from the same IP?
Are there multiple orders from the same IP with different delivery addresses?
Is the order amount unusually high?
Is the product combination unusual?
Was the order placed in the middle of the night – and is this unusual to your website?
A good rule of thumb is this: If there is ANYTHING unusual about the order – anything at all – your spider sense should be tingling.
If you find a suspicious-looking order, call the customer and confirm the identity of the customer and that the purchase was made with his/her own payment card. Don’t let the customer call you (as this can be spoofed, showing you a different number than the one they’re calling from). If you’re still not sure about the order, ask the customer to make a bank transfer.
After seeing the above list, you might feel that doing this manually is something you wouldn’t mind spending your time on. Or you might want to automate these checks so you can spend your time on something more fun or important for your business.
Again, it’s up to you. Maybe you prefer the manual check, maybe you’d rather save time by letting a tool do this for you. Your choice.
A reminder, though: Even if you use an automatic service, please don’t forget your common sense when capturing your money. If something sounds too good to be true, it usually is.
6. Use encryption
When you transmit confidential data between your website and the browser, the communication should be encrypted. Not only to protect your business and your customers but to show the customers that your site is safe.
Use SSL (Secure Sockets Layer) or, even better, TSL (Transport Security Layer) to ensure the best protection of your customers’ data. With an Extended Validation SSL certificate, the customer’s browser will display a green bar and an SSL security seal next to the address line to show that your website is secure.
Go do it. Now. You can find SSL/TSL certificates loads of places, and they don’t cost much.
After all, why would you NOT want to show potential customers that they can safely order here?
If you want to get a look at your website from a security perspective, you can try this tool from Qualy’s: https://www.ssllabs.com/ssltest/
7. Layer your security
A firewall is essential to prevent attackers from reaching your network, but don’t stop there. Add extra layers of security on contact forms, login pages, and search queries to prevent SQL injection and cross-site scripting (fancy words for malicious hacking methods).
limiting the number of login attempts
enabling two-factor authentication
hiding/renaming the login page
asking a security question
using a CAPTCHA.
Your developer will be able to help you implement the above suggestions – and probably has more gems up the sleeve.
8. Train your employees
It’s human to make mistakes. That’s why you have to do everything in your power to minimize the risk of human errors.
Provide security training for your employees. They should know never to reveal customer information in emails, chats, or texts as these means of communication are not secure.
It might be beneficial to make written security policies and protocols to make sure your employees are updated on general online security and, especially, the laws and regulations around customer data.
9. Monitor and scan your website
You should monitor your website at all times. There are loads of tools that can look out for malware, security vulnerabilities, etc. and notify you so you can take immediate action if it finds anything.
Also, with regular intervals, scan your entire website to identify any unwelcome malware. And if you want to really test your site, consider hiring a consultancy to perform penetration tests of your network.
10. Backup your data regularly
We all know this is important. But do you actually do it? If you’re one of the many business owners either neglecting this or relying on your web host for data backup, I’d suggest you take a good long look in the mirror. What do you do if your server crashes, your hard drive fails, or a virus finds a way into your network – and you lose all your data?
If you’re counting on your web host for data backup, at least make sure that they actually do take backups regularly. Better safe than sorry, right?
11. Stay informed
This one should go without saying, but for the sake of good order let’s spell it out.
Your business is your responsibility.
You are responsible for staying up to date on security issues related to your e-commerce business. No-one else does it for you.
So, how do you stay up to date on these topics?
Well, here’s a few points for a start:
Subscribe to (and READ) news from your CMS provider, web host, e-commerce platform, etc.
Check for security alerts from card brands.
Join various e-commerce-related networks.
Alright. I hope that the above gave you some ideas about what you can do to protect your e-commerce website from hackers and fraud. We all know security is important, but quite often it is forgotten or neglected in the day-to-day business. Don’t be like that. Take care of it.
Got any brilliant suggestions or tips that I missed?
By Heine Aaen Hansen
Marketing and content at Bambora. When not writing, I'm reading. Book aficionado, word nerd, and helpless dad.