Securing an
ecommerce website is not same as securing a local store. A physical store can
be secured with locks, CCTV cameras, alarm systems, etc. Contrary to
this, ecommerce websites face much more sophisticated attacks. Hackers and
fraudsters are always on the lookout for security loopholes in ecommerce sites
which could be used to steal valuable data. Invariably, your online assets are
at constant risk, unless you have systems and processes in place to secure
them.
Following simple
techniques can go a long way in protecting your ecommerce site and therefore,
your business.
Choose ecommerce
hosting wisely
Are you one of
those who are risking it all by choosing a low-cost hosting option?
Market is
swarming with low cost hosting options for websites and it’s easy to be tempted
to choose from unbelievably cheap hosting options. If you’re on a shared
hosting service with hundreds of thousands of other users, then you could end
up in a ‘noisy neighborhood’ ones which are rude, anti-social and tend to bring
the tone of the neighborhood down.
Probably the
best option for serious ecommerce retailers is a virtual private server. This
balances superb, scalable performance with reasonable costs and excellent
security customization options. Setting up your server for security is quite
straightforward and if you can’t manage it yourself, then usually a reputable
host will offer a managed server service for you.
HTTPS is the way
Not very long
ago, most website owners would reserve HTTPS hosting to ‘payment links’ of
their websites. This was prior to the phase when Google commenced increasing focus
on security and started including HTTPs as a ranking factor. Any serious
ecommerce player understands the value of SEO ranking and wouldn’t want to
compromise on it. To add to this, it is certain that in upcoming releases
Google Chrome will label all non-HTTPS pages in incognito mode as “not secure”
because users using this mode have an increased expectation of privacy.
Invariably, the browsers are going to start penalizing HTTP sites. So, believe
it or not, HTTPS is the way to go.
To switch to
HTTPS, you need to select an SSL Certificate and start using it on your
website. Your hosting provider can bundle it in his offerings to you. You could
also purchase one from a reputed SSL vendor.
Select a secure
platform and keep it secure
Once up and
running, your site would need to be maintained periodically and supplemented
with regular updates and your designers, developers and hosting vendor can
support you in the process. But, when it comes to security, you need to own the
process.
Particularly,
keep an eye on software provider’s site to check for periodic updates and
ensure they are being applied to your site.
Secure the admin
panel
Protect your
admin section against obvious attacks. For instance, avoid using default
username like ‘admin’. Choose your login credentials wisely. They should be
original, and difficult to crack. Next, be selective in providing access to
admin panel. You can do this by setting up a ‘Whitelist’ of IP addresses under
server administration and permitting only known IPs to access admin panel.
As a final step,
set up unique threshold values, such as number of login attempts, so that the
administrator gets notified when certain number of login attempts fail from an
unknown IP address.
Backup key data
Data, as your
key business asset, needs to be protected. You cannot afford to leave data
backup at the mercy of manual process only. An ideal solution is to have an
automated backup facility in your platform which ensures your data is backed up
at all times.
Avoid hoarding
user card data
Some ecommerce
clients lure clients to save their precious time by storing the latter’s card
details. As a prudent ecommerce player, refrain from adopting such practices.
In an event of data breach when your systems are compromised, you could end up
being penalized heavily.
The best
practice is to utilize the services of an authentic payment gateway provider,
who have in built capabilities for managing data and keep the payments off your
site. If you are operating on low budgets, choosing PayPal can be an optimal
solution.
In the long run,
it would be good practice to aim for Payment Card Industry Data Security
Standard (PCI DSS) accreditation. Of course, to become PCI-DSS compliant, your
website needs to guarantee the integrity of your customer’s financial data and
you need to implement strong access control throughout your website.
Use a
GeoLocation anti-fraud software
There are
instances everywhere of cards being stolen in one part of the world and being
transferred electronically at a different geographical location for online
frauds. Ecommerce players who remain oblivious of security loopholes may end up
losing revenues by servicing fake orders and start picking up
chargebacks.
An effective way
to address this is to use a GeoLocation anti-fraud tool. Merchants can use this
data to determine the level of risk of any particular transaction.
The algorithm
looks at a number of criteria around the IP Address of the order and takes into
account popular cloaking methods, such as using proxies and compares this with
its database of billions of transactions to create a unified Fraud Risk Score.
If you’re
unsure, it gives you the opportunity to either refund the order or run further
manual checks.
Create robust
security policies
Incorporating
manual, but robust security processes can go a long way in securing your online
presence. For instance, let’s take the example above where a freshly arrived
order looks like it has a high Risk Score, but it ‘looks’ perfectly fine.
Your security
policies and procedures must immediately be invoked, even if they sound
redundant.
The verification
process could involve as simple as tele calling the client or sending him an
email to confirm his identity.
Layered security
A multi-tiered
approach to security is a must because there is no panacea to make a site
secure. Based on the budget, one can either create a physical firewall or a
firewall through a web application. These are first lines of defense to protect
against the more prominent and common breaches and hacks, which may include SQL
injection or cross-site scripting.
Secondly, one
can use a Content Delivery Network (CDN) to boost security. CDNs learn to
identify malicious traffic to the website. Moreover, they are able to prevent
Distributed Denial of Service Attacks (DDoS), thus being highly advantageous
for security.
Another way to
protect from DDoS attack is to use OpenSource Software.
No comments:
Write comments