10 ways to keep hackers’ hands off your e-commerce website

SecurityCategory
7 min read
Stephen Lawton

Hackers want in. So as a web designer or developer with an e-commerce website, you must consider online security a top priority to protect customers’ personally identifiable information. An identity thief is on the hunt for credit card numbers, Social Security numbers, and other data considered confidential. So how do you keep customers safe? Start with these 10 ways to protect against hackers and insider misuse:

1. Don’t collect or save customer data you don’t need

Hackers and identity thieves cannot steal what you don’t have. Therefore, do not collect or save any private customer data through your e-commerce solution that is not essential to your business.

When it comes to processing credit cards, use an encrypted checkout tunnel to eliminate the need for your own servers to ever see the customer’s credit card data. This might be slightly more inconvenient at checkout time for your customers, but the benefits far outweigh the risk of compromising their credit card numbers. Also, be certain hackers can’t remotely access any private data you retain.

2. Update your e-commerce solution’s SSL/TLS to encrypt browser communications

You must encrypt communications between the website and browsers when transmitting confidential information. That’s a given. But to keep hackers from cracking the code, maintain current encryption algorithms such as the latest versions of SSL (Secure Sockets Layer) or TLS (Transport Security Layer). Although some refer to TLS as SSL, and there is a technical difference, it’s probably not something you need to worry about. What’s important is that you avoid vulnerable versions of the encryption library.

Test your e-commerce website’s security

Last year, researchers found a serious flaw in SSL 3.0 and 2.0 code vulnerable to the POODLE man-in-the-middle attack. That’s why it’s so important to update. Start by testing your website’s security at Qualsys SSL Labs. Check out Does your website need an SSL Certificate? article.

3. Regularly test your e-commerce site for vulnerabilities

Credit card companies require retailers to test their e-commerce websites to meet certain security standards. But simply meeting these regulations is not enough. Your better bet is to regularly test your e-commerce site to stop hackers from doing any real damage. This includes:

Regular scanning: Check your web sites regularly (including a test of all links) to ensure identity thieves and hackers have not introduced malware into advertisements, graphics, or other content provided by third parties.

Penetration testing: Consider hiring cybersecurity consultants or ethical hackers to identify vulnerabilities in the code.

Security apps: Look into web application scanning tools that help identify a variety of vulnerabilities — ranging from identifying Cross-site Scripting (XSS) to finding vulnerabilities inside debug code and leftover source code that could put confidential data at risk.

4. Eliminate risky software that jeopardizes online security

Modern web development code, such as HTML 5, will help you eliminate potential vulnerabilities from Java. If you are redesigning or building a new site, opt for the safer choice. While you’re at it, try to eliminate Adobe Flash and other applications that are prone to vulnerabilities when possible. If you must use Java or Flash for legacy applications, make sure you patch the software regularly to ensure you have the most secure version.

5. Protect the perimeter, wherever it is

Today’s network perimeter is ever-changing. As the recent Target breach clearly identified, sometimes the edge of your network exists within the network of your business partner. Often times, retail sites are not only accessible to hackers from the public Internet; they are also accessible through other companies. So what’s a web developer to do? Ensure your links have their own quarantine capabilities.

For example, there should be physical separation between the network that an industrial business partner can access and one that contains confidential customer data. Corporate data should have layered defenses, with each layer having stronger identification, credential, and access management (ICAM) restrictions. However, if you want your network to be hacked — these rules also apply to your e-commerce site. Robyn Lorusso laid out the top 10 rules a decade ago, and they’re just as apt today as they were then.

6. Correctly configure perimeter defenses

Buying a firewall is easy; configuring it correctly requires time and effort. If your e-commerce site is managed by a hosting provider, most likely, your IT staff will not have direct access to the network security infrastructure. That means, you probably have to rely on contract language to address issues of network security. Plus, you must work directly with your provider to ensure regular monitoring and testing of your e-commerce site. Must-have security services for your site, whether you have a hosting provider or host your site yourself, include:

  • Data loss prevention.
  • Data loss detection.
  • Advanced persistent threat detection.
  • Intrusion prevention services.
  • DDoS protection.
  • Reputation defenses.
  • Antivirus/antimalware and a fraud management service.

7. Encrypt all communications that might interest hackers

Encrypt your communications with business partners, especially with your credit card processor. You might even consider encrypted email. Reason being, you should never send potentially private data in plain text over the Internet. Why take chances that someone is looking at your private communications? For more on this, particularly for those running Windows Exchange Server 2007 or later, read Use TLS with SMTP to Secure Your Email by Paul Robichaux on Windows IT Pro.

8. Doveryai, no proveryai: Trust, but verify

We would all like to trust our customers, right? But these days, you still have to verify. Therefore, enable an address verification system (AVS), and require customers to input the card verification value (CVV) number for all credit card transactions. Learn more about AVS and how to change security settings or get the full scoop on CVV numbers.

9. Choose a hosting provider carefully

Your hosting provider should be just as invested in your success as you are. Many of the top providers, such as GoDaddy, offer an array of tools and applications to make creating and running an e-commerce site easy and secure. Your safest bet is the hosting provider that:

  • Employs at least 128 bit AES encryption (256 bit is better).
  • Performs regular backups.
  • Keeps comprehensive logs.
  • Performs regular network monitoring.
  • Provides you with written policies and procedures in case of a breach.
  • Provides a single point of contact for security emergencies.

At the very least, providers should be able to explain to you their own emergency procedures in cases of a natural disaster or breach. Otherwise, you shouldn’t feel confident they can assist you should the real deal go down.

10. Wash, rinse, repeat

Diligence will render hackers and identity thieves powerless. This comes down to three key actions:

  • Constant testing of your e-commerce site.
  • Immediate attention to problems, fixing them as they occur.
  • Monitoring your site to ensure the problems have been eliminated.

Log files offer excellent insights into your site’s security, but are useless if you don’t take the time to find the anomalies. Security is an ongoing process, not a one-time fix to pass an inspection. If your site accepts credit or debit cards, you will be required by your card provider to test your network annually, requiring a third-party tester or perhaps a self-evaluation, depending on various considerations. In a addition to these, opt for quarterly tests with ongoing evaluation of log files for intrusion prevention and data loss prevention.

Your customers should feel confident in your dedication to online security. They count on you to take their privacy seriously. Otherwise, it could cost you their business, or worse, if hackers have their way. Just ask the major retailers with recent high-profile breaches on how the public responded to their data security disasters. What’s your take? Should online shoppers assume their info is safe? Or does the responsibility fall on those running e-commerce sites? Share your thoughts in the comments below.