Security architecture is of utmost importance in the design of an e-commerce Web site. In computer networking, security can be defined as a continuing process in which an administrator ensures that information is shared only between authorized users.
In this module, we will discuss the various aspects of overall site security. By the end of this module, you will know how to:
- Describe security risks and solutions
- Describe security measures needed to protect your system and Web site
- Design for system security at the operating system, server, and application levels
- Restrict server and scripting parameters to increase security
- Define encryption methods and describe encryption implementation
Hackers are stealing credit cards and other sensitive information from ecommerce sites. To protect your customers, it is imperative to know how to protect your ebusiness and your sensitive
customer data. Ecommerce and security experts share 10 tips on how you can prevent fraud and keep your site safe.
- Choose a secure ecommerce platform:"Put your ecommerce site on a platform that uses a sophisticated object-orientated programming language," says Tom Hauck, software development manager, DistributedNetworks. "We have used plenty of different open source ecommerce platforms in the past and the one we are using now is by far the most secure," Hauck says. "Our administration panel is inaccessible to attackers because it's only available on our internal network and completely removed from our public facing servers.
Additionally, it uses secondary authentication that authenticates users with our internal network."
- Use a secure connection for online checkout and make sure you are PCI compliant:
Use Secure Sockets Layer authentication for web and data protection, says Rick Andrews, technical director, Trust Services, Symantec.
It can be a leap of faith for customers to trust that your ecommerce site is safe, particularly when web-based attacks increased 31 percent last year. So it is important to use SSL certificates to authenticate the identity of your business
and encrypt the data in transit," Andrews says. "This protects your company and your customers from getting their financial or important information stolen."
Even better: "Integrate the stronger EV SSL [Extended Validation Secure Sockets Layer], URL green bar and SSL security seal so customers know that your website is safe."
"To validate our credit cards we use a payment gateway that uses live address verification services right on our checkout," he says.
"This prevents fraudulent purchases by comparing the address entered online to the address they have on file with their credit card company."
- Don't store sensitive data:
"There is no reason to store thousands of records on your customers, especially credit card numbers, expiration dates and CVV2 [card verification value] codes," says Chris Pogue, director of Digital Forensics and Incident Response at Trustwave.
"In fact, it is strictly forbidden by the PCI Standards," Pogue says. He recommends purging old records from your database and keeping a minimal amount of data, just enough for charge-backs and refunds. "The risk of a breach outweighs the convenience for your customers at checkout," he says. "If you have nothing to steal, you won't be robbed."
- Use an address and card verification system: "Enable an address verification system (AVS) and require the card verification value (CVV) for credit card transactions to reduce fraudulent charges," says Colin O'Dell, lead Magento developer for Unleashed Technologies.
- Require strong passwords: "While it is the responsibility of the retailer to keep customer information safe on the back-end, you can help customers help themselves by requiring a minimum number of characters and the use of symbols or numbers," says Sarah Grayson, senior marketing manager for the Web Security Group at McAfee. "Longer, more complex logins will make it harder for criminals to breach your site from the front-end," she says.
- Set up system alerts for suspicious activity:
"Set an alert notice for multiple and suspicious transactions coming through from the same IP address," advises Deric Loh, managing director at digital agency Vault Labs. Similarly, set up system alerts for "multiple orders placed by the same person using different credit cards, phone numbers that are from markedly different areas than the billing address and orders where the recipient name is different than the card holder name."
- Layer your security:
"One of the best ways to keep your business safe from cybercriminals is layering your security," says Grayson. "Start with firewalls, an essential aspect in stopping attackers before they can breach your network and gain access to your critical information."
Next, she says, "add extra layers of security to the website and applications such as contact forms, login boxes and search queries." These measures "will ensure that your ecommerce environment is protected from application-level attacks like SQL (Structured Query Language) injections and cross-site scripting (XSS)."
- Provide security training to employees: Employees "need to know they should never 1) email or text sensitive data or 2) reveal private customer information in chat sessions as none of these communication methods are secure," says Jayne Friedland Holland, chief security officer and associate general counsel at technology firm NIC Inc..
"Employees also need to be educated on the laws and policies that affect customer data and be trained on the actions required to keep communications safe," Holland says. Finally, "use strict written protocols and policies to reinforce and encourage employees to adhere to mandated security practices."
- Use tracking numbers for all orders:
"To combat chargeback fraud, have tracking numbers for every order you send out," advises Jon West, CEO, AddShoppers, a social commerce platform for retailers. "This is especially important for retailers who drop ship."
- Monitor your site regularly and make sure you are using secure cloud hosting solutions.
"Always have a real-time analytics tool," says Punit Shah, director of Marketing at online jeweler My Trio Rings. "It is the real-world equivalent of installing security cameras in your shop.
Tools like Woopra or Clicky allow you to observe how visitors are navigating and interacting with your website in real time, allowing you to detect fraudulent or suspicious behavior," he says. "With tools like these we even receive alerts on our phones when there is suspicious activity, allowing us to act quickly and prevent suspicious behavior from causing harm."
Also, make sure whoever is hosting your ecommerce site "regularly monitors their servers for malware, viruses and other harmful software," says Ian Rogers, SEO and Web developer.
In the next lesson, we will discuss security risks.