In 2015, 64% of the retail industry breaches were due to compromises in the security in ecommerce. Of the different types of data targeted by attackers, 49% were ecommerce data specifically personally identifiable information (PII) and cardholder data (CHD). This was followed by POS transaction data at 31%, financial credentials at 12% and proprietary data at 8%.
While it is exciting and promising to put your business online, remember that where money is made, threats to security will follow. It may be impossible to put an end to certain vulnerabilities, but it does not mean there’s nothing you can do to secure your business and the protection of your customers.
Stop and prevent threats related to ecommerce in its tracks with this definitive guide on security for online businesses. We will discuss the common threats in ecommerce, how SSL certificates work and tips and advice to help you keep on delivering secure shopping experiences to your customers.
How ecommerce businesses are different
Conducting business online is very different from doing it with a physical store. How payments are received is a key difference where in place of physical POS terminals, ecommerce stores accept payments through credit cards, e-cash or mobile wallets via payment gateways.
The type of interaction is also different. There are no face to face interactions in an ecommerce arrangement and everything the store might need from a customer such as personal and credit card information must be provided electronically through submitted forms.
What’s common in these things is it can only be made possible if there is a conceptualization of trust between the store and the customer. To make paying for products successful online, there should be security between databases, computers and networks and the people, machines, and processes facilitating it.
When personal and credit card information are sent by customers, concerns such as confidentiality, privacy, integrity, and non-repudiation should be addressed.
In the absence of regulatory protection on ecommerce transactions, stores and customers are advised to take caution and protect their transactions online as much as they can. The use of one-time passwords for credit card payments, for instance, assures customers that only through their authentication can their payments be processed. For stores, the recommendation of installing a firewall helps secure business information and files from any form of breaches.
Threats related to ecommerce
Unfortunately, any application or electronic system that supports the business of ecommerce is susceptible to threats and vulnerabilities, making the need to beef up on security even more alarming.
Fraud is any act that results in financial loss. It is a growing threat where attackers transfer funds to their accounts, destroy financial records and cause businesses thousands of dollars in losses. What’s bothersome about fraud is as soon as retailers tighten up their security, attackers seem to know how to outsmart them.
Fraudulent practices always follow where the money is. According to a 2016 study, fraud is now a growing ecommerce problem, specifically ones that accept payments through mobile devices.
Aside from unauthorized money transfers and transactions, ecommerce fraud is also characterized by a false request for a refund (refund theft) or a false request for a return (friendly fraud).
Refund theft is returning purchased items, usually damaged or acquired illegally, to the store in exchange of money or equivalent-priced items.
Friendly fraud is where a customer purchases a product without the intention of really keeping it. Also called “wardrobing”, customers return products after they have used it with their money returned in full.
Theft is any act that takes another person’s possessions without that person’s consent. In ecommerce, possessions can be in the form of confidential, infrastructure, technological or marketing information. An attacker may sell or disclose stolen information to a third party, resulting in major losses and damage to the store and its customers.
There is also identity theft where attackers steal a customer’s key personal information and use it to wrongly buy products and obtain credit. Identity theft can be a result of an illegal intrusion into a customer’s data, which results in a loss of confidence. Illegal intrusion can happen due to network failures, plain dishonesty or simply human errors.
Disruption of service is any unauthorized activity that result in businesses losses or inconvenience to customers. Instances of a disruption of service includes an ecommerce site being hacked, rendering it unable to sell items or process payments.
Deliberate denial-of-service (DOS) attacks are used to disrupt ecommerce services or impose a security breach to the system. While DOS attacks do not result in information theft or fraud, inactivity on the site can be very costly. Any unplanned down time in the ecommerce site’s service is considered a loss.
Phishing is where an email is sent to a customer falsely claiming to be from an established and legitimate business with the intention of luring people into surrendering their private information. These information will eventually be used for stealing identities. Aside from emails, phishing also uses websites mimicking legitimate sites.
According to Kaspersky Lab’s study on Financial Cyberthreats, 28.8% of phishing attacks in 2014 were intended to steal financial data from banks, payment systems and ecommerce sites. In that same year, 7.32% of all phishing cases were targeted on ecommerce sites.
Unknown downloading of hidden active content is also a threat attacking ecommerce systems. Authorized administrators and users may unknowingly be downloading trojan horses. Once installed on their vulnerable systems, it starts gathering business data. Customers’ account usernames and passwords may be harvested and sold to attackers.
It’s also possible that threats to your ecommerce security are outside the activities of attackers. There might be people such as competitors or former employees who may want to access your store, steal your data and cause a disruption. Although only hypothetical, it’s better to be proactive about your security and protection than be sorry in the end.
Consider what types of threats your ecommerce store is exposed to as well as where it might come from. Identifying potential sources of threats will guide you safeguard your store the best way possible.
What are SSL certificates
Whether you are new to ecommerce sites or you’ve finally decided to take your brick and mortar store online, chances are you’ve heard about SSL certificates in relation to security in ecommerce.
Secure Sockets Layer or SSL certificates are small data files that bind a cryptographic key to transactions and communications between destinations on a network. SSL certificates not only govern financial transactions, but virtually any type of data from simple search queries to credit card information.
In fact, we use SSL certificates every day whenever we browse the web or do some activity online. The encryption prevents any entity with a malicious intent from getting in the way of our sessions and transactions. Without SSL certificates, anyone can eavesdrop on anything, on anyone and illegally obtain sensitive information between a user and the server.
Below is a summary of what happens in an SSL handshake. While it seems to involve many steps, all these take only a few seconds to finish.
How it applies to ecommerce
If you want to secure all transactions on your store, you have to obtain an SSL certificate for your domain. This certificate will apply the encryption to all detected activities on the domain to prevent different form of threats.
To know if a particular website uses SSL certificates, check if it has a green lock in the address bar and the URL starts with ‘https:’.
Aside from encryption, ecommerce SSL certificates also contain critical security details such as company name, location, length of time the certificate is good for and the details of the authority issuing the certificate.
Try opening a website on your browser and right click on the green lock icon. It will immediately tell if your connection to the site is private. Click on ‘Connection’ to see information.
You can also right click on ‘Details’ to learn more about the SSL certificate used by that site. You will see something similar to the illustration below.
Do you need an SSL certificate?
Given all these discussions about SSL certificates, it all points to the obvious that ecommerce sites, by all means, need it to secure all business and customer information. Additionally, since Google announced in 2014 that it will now factor in the usage of SSL as a lightweight ranking signal for websites, there is more to gain by having SSL certificates as part of your site architecture than not at all.
However, there are a few exceptions.
If your online store does not capture or store any critical data, you can do without an SSL certificate. An example of this scenario is if you are using a hosted payment gateway such as PayPal. In this case, PayPal is responsible for securely capturing and storing your customers’ confidential payment details. If you opt for an integrated payment gateway, then you will need an ecommerce SSL certificate.
Another reason is if you do not require your customers to create an account complete with a password to shop from your store. But there’s a gray area to it.
While billing and shipping addresses may be considered less sensitive information to be securely kept in an account, the fact is that many customers tend to use the same password in every online account they have. This can be an opportunity for hackers to proceed compromising accounts, getting passwords and using it to open a customer’s email address or bank account.
How to get one
Before buying an SSL certificate, you need to prepare the following:
- a unique IP address
- a Certificate Signing Request (CSR)
- Correct contact information on your domain registration
- Valid business documents
You can purchase your certificate from any third party providers. How soon you can get it will depend on how early you can prepare and submit your documents and the average processing time of the provider you chose.
Choose the type of SSL certificate you need. Basic certificates only cover one domain while wildcard certificates can cover more than one. Consider also the price based on the type of certificate you want and how much you can set aside for it annually.
Implications for ecommerce
When your customers know that your store is secure, they will trust you, feel confident and shop more often. Investing on security in ecommerce and the protection of your customers are practical retention tactics to keep your business successful.
With an SSL certificate, no one can spoof or mimic your store. Your certificate proves that you are the real owner of your ecommerce store and no one else can use it for any malicious intent.
More importantly, there is no way for attackers to compromise sensitive information stored in your database. Your risk for fraud, theft, identity theft, disruption of service, DOS attacks and phishing are significantly reduced, if not completely eliminated.
And with shoppers being smarter these days when it comes to their online shopping security, they may eventually ask why a green lock icon is missing on your site. Bounce rates can soar with the mere absence of that tiny padlock on the address bar.
Toughen up and design ecommerce security
How much you can protect your store from being compromised and prevent critical customer data from being stolen depends on the security measures you will adopt. Besides adopting ecommerce SSL certificates, consider doing the following:
Select a secure shopping cart system
Be wary of the ecommerce platform you will use and check the different security features it offers. There are tons of open source platforms out there, so if you want to use any of those, select one that is not open to public servers. Otherwise, you increase your risk for threats.
Keep your systems updated as well. If there are recent upgrades to your web server, software and plugins, implement all of it immediately.
Stay updated on recent vulnerabilities reported in the news. Like in 2015, as much as 8,000 ecommerce sites using Magento were affected by a malware called Guruincsite. The company suspected that there was probably some vulnerability in one of its extensions that paved the way for the infection.
Although the purpose of reading up on updates is to not dissuade you from using your current shopping cart system and look for an alternative choice, knowing what’s going on will alert you if your store has been compromised or not.
Secure payment compliances
Especially if you want to use an integrated payment gateway, make sure you follow the integration process recommended to you step by step. Take full responsibility for all the compliance methods and data security needed to make your payment facility secure and properly working.
It may be a lot of work, but it is wiser to never cut corners when it comes to your business and customers’ protection.
Do not store sensitive data
According to Chris Pogue, a Digital Forensics and Incident Response director, there is actually no reason for stores to keep thousands of sensitive customer information such as credit cards and CVV2 codes in their databases.
Aside from it being restricted by PCI Standards, all stores need to keep are minimal customer info just enough to make chargebacks and refunds. Not having so much data to keep and worry about being stolen works for your peace of mind as well.
Implement stricter payment verification systems
As mentioned earlier, there are now banks that implement OTPs or one-time passwords valid only for one transaction to ensure the credit card owner’s authentication before they can be charged. Sent usually to the credit card owner’s mobile number, this adds an extra layer of online protection for shoppers.
Another way is to require the Card Verification Value (CVV) for all your credit card transactions. It is the 3-digit code in the back of a credit card, significantly preventing fraudulent charges. Offering cash on deliveries also work effectively for security purposes.
Recommend stronger passwords
If you require your shoppers to create an account before they can proceed to checkout, be on guard and recommend the creation of stronger passwords.
You can help by generating alphanumeric passwords for them or providing suggestions for password combinations that are harder to crack. At the end of the day, the store owner is responsible for keeping all customer information safe at the back-end. Recommending customers to create stronger passwords is a smart primary step.
Send out tracking numbers for all orders
To avoid instances of refund theft or friendly fraud, always send out unique tracking numbers to all the orders exiting your warehouse. This also makes it easy to address any security or non-security issues that may arise.
Layer on security
Put up firewalls for your store as this stops attackers before they can even breach your network and access your critical business information. Add an extra blanket of security too for your checkout forms, username and password login fields and search box so any application-level attacks can be prevented.
Regular site monitoring
Nothing can ever go out of the radar if your store is constantly monitored for suspicious activities and threats related to ecommerce. The same way you regularly monitor your site to ensure a smooth and friendly experience to your customers, keeping a close watch on your store also helps you stay one step ahead for any threat that may arise.
Security in ecommerce is never a light issue. Just as you would invest on doors, locks and security personnel to keep your store safe from physical attacks, you need the same level of security and protection for your online store where vulnerabilities are more heightened.
Know the different types of threats you can be exposed to and couple it with way to counteract it.
Invest on SSL certificates and let it help you build up your customers’ confidence when shopping from you. At the same time, investing on it is also good for your organic ranking, rendering it a total win-win situation.
And as much as you need to read up and stay updated about your shopping cart system or anything related to ecommerce, learn from the mistakes of others and try not to have the same experience as they did. Cyber attacks and security failures are everywhere and it does not need to happen to you so you can learn a lesson.