Editor’s note: This is a guest post by Dmytro Ternovyi who is an IT enthusiast and a passionate technology writer.
With the rise of mobile devices and the Internet of Things, the web is more and more central to our lives. For online businesses, that means more opportunities than ever before. Internet shopping is everywhere, and it’s not uncommon for customers to walk through a brick and mortar store, cell phone in hand, ready to comparison shop at their favorite online outlet.
It also means more opportunities than ever before for online criminals. All that juicy customer data draws them in like sharks, whether it’s full credit card numbers or just email addresses.
According to Symantec, the number of data breaches increases yearly, nearly doubling from 2012-2014. Cybercrime is an enormous industry, raking in many millions of dollars per year.
[Tweet “”The number of data breaches increases yearly, nearly doubling from 2012-14″”]
The public has noticed, too, after some very high-profile data breaches at large corporations. News coverage has brought the issue back into the public eye, which is good and bad for the e-commerce operator.
On one hand, informed users are less likely to be hacked. They will exercise good password practices, avoid clicking on phishing links, and generally be more aware of the potential dangers of the online marketplace.
On the other hand, informed users are very much on the lookout for evidence of unsecured sites. They are less likely to understand and forgive a breach, and will generally move right on to a competing site if they don’t feel safe.
Even a relatively minor breach can be devastating to customer confidence, and so security for e-commerce websites is on every online professional’s mind these days.
Our Tips for e-Commerce Website Security
Implement HTTPS
HTTPS and a valid SSL certificate are the new normal, especially on e-commerce sites. It’s vital for secure online transactions of any type. That includes purchases, but also data as simple and innocuous as an email address for a newsletter signup.
Google is wise to the value of HTTPS as well. They have begun prioritizing HTTPS-secured sites in search results. This makes an SSL certificate a solid SEO tactic as well as good security.
Choose a Secure e-Commerce Platform
The sheer number of e-commerce platforms available today is daunting. When selecting your platform, focus on safety over flash. If they don’t have a firm plan on how to protect your customers, move on.
Keep in mind that features like social integrations and lead capture are not only commonplace, they can often be added with external solutions or add-ons. These features are great for customer engagement and retention, but they are not as mission-critical as security.
Many e-commerce packages interface with PCI-compliant payment processors, and can enforce strong passwords. The platform you choose should, at a minimum, have a secured checkout page. Site-wide security using SSL is even better, and it’s not a difficult feature to find.
For additional login security, look for software that discourages password guessing through features like CAPTCHA and two-factor security. A login session timeout, which will automatically logout a user after a period of inactivity, is also a must.
Safe and Secure Web Hosting
Similarly, there are so many choices for web hosting that it’s difficult to decide. Focus on both reliability and security when selecting your host. A provider that’s always down will drive away customers just as surely as one that is susceptible to hackers.
Choose a host that integrates security features such as backups and SSL certificates. Although it’s certainly possible to handle these tasks yourself, many hosts these days are happy to assist you with them for a very small fee if it’s not outright included in your hosting plan.
Above all, select a host that offers reliable and competent 24-hour technical support. When your site is in trouble, and it will be at some point during its life, you’ll be extremely happy you did.
DDoS Protection and Mitigation
DDoS (Distributed Denial of Service) attacks remain the most common means by which hackers undermine online purchase security. They are relatively easy to execute and are still quite effective against many sites.
In essence, DDoS shuts down a website by overloading it with traffic. Thousands of systems, called “bots”, begin requesting data from the website simultaneously. The site can’t keep up with the amount of traffic, slows down, and ultimately crashes.
The technique can be effective on any website regardless of how much bandwidth or server capacity its host offers, since any amount of bandwidth is, in the end, finite.
The best analogy is of a crowd of people standing in front of the doors of a business, stopping other people from entering. In e-commerce, DDoS attacks are often performed by unscrupulous competitor websites, especially during busy shopping times like Black Friday or the holidays.
If your website goes down during the holiday season, the loss of sales can be catastrophic. That’s exactly what the perpetrators of this cyber crime want.
Fortunately, there are DDoS protection and mitigation services available now to combat them.
DDoS mitigation services act as a “gatekeeper” for traffic to your website. Any requests for data are passed through the service first, which carefully inspects the traffic to ensure it is an actual human user as opposed to an automated DDoS bot. The process is invisible and seamless to your users, and bots are simply denied access to your site.
So use one! Ensuring your website stays up and available will save your customers a great deal of frustration. In turn, that will save your bottom line!
Use Multiple Layers of Security
One solution simply isn’t enough. Redundancy is absolutely key to ensuring security for e-commerce websites. Put backups in place for all your points of entry, and then have backups to those backups.
This is one of the main principles in security for e-commerce websites. Hackers are persistent, and no security is perfect. They will find a hole. The trick is to make sure the only thing they find behind that hole is another wall.
Don’t Store Sensitive Billing Information
If your site is PCI compliant, and it should be, then you’ve already implemented this tip. If not, then keep in mind a simple truism: You can’t rob an empty house.
Store the minimum amount of customer billing information needed, and heavily encrypt the data what you do keep. For the best credit card protection for online purchases, you should only store the information needed to process refunds and chargebacks.
Depending on the size of your e-commerce store, a hosted payment processor may make the most sense. Typically, these solutions will encrypt billing information more securely than a smaller site can afford on its own.
The same holds true for email addresses and other customer information. Although the danger is not as immediate, lost personal information can expose customers to identity theft. Your website should store the minimum amount of information needed to conduct your operations.
Require Strong Passwords
e-commerce website security starts with you, but it can end with your users. All the security in the world won’t ensure the safety of a customer who decides “1234” would make a great password.
The answer? Make them use a better password. Enforce strong passwords on your site, including upper and lower case letters, numbers, and special characters. For an extra boost of security, allow and encourage the use of 2-factor protection. Authentication by text message or mobile app enhances security and polishes your image.
Security for e-Commerce Websites – Start from Day 1
As any veteran of the industry knows, e-commerce website security is a never-ending battle. The hackers and cybercriminals only grow bolder and more motivated each year, as the number of websites and customers to target increases.
Placing security at the top of the priority list is more important than ever before.
For a huge corporation like Target, a major data breach is embarrassing and expensive. Reparations, settlements, and massive PR campaigns let them move on, sometimes barely.
For the smaller e-commerce operator, it can mean the end of a business. Customer trust can take years to rebuild once lost. That’s years of lost profits, and that’s something many stores simply can’t afford.
Properly securing a website takes time, specialized knowledge, and resources. In an online business, especially a new one, those three things can be in short supply. Good security is well worth the upfront effort and cost, though, as it can mean the difference between success and failure for the entire life of the business.
About the author
Dmytro Ternovyi is an IT enthusiast and a passionate technology writer from Ukraine with a strong believe my country to be the next “Startup Nation”. I run some of my own blogs as well as serving as a consultant for Ukrainian companies like Ignite and others. I have a strong interest in edge cutting technologies and their localization in IT markets worldwide. Drop me a line on Twitter @dimulik for a quick chat or if you’d like to hire me as a writer.
[cta-variant1]