Security Practices for Your Ecommerce Store to Take Today
State of Security
It seems there is another data breach at a large brand every other week. The thing is, these aren’t just limited to the big stores. According to Trustwave, small merchants are the target of 90% of breaches. And it can cost a store around $37,000 per breach (around $4 million for bigger brands).
Verizon did a Data Breach Investigation Report in 2020 and found that 37% of breaches were due to stolen or weak credentials. By 2021, the latest report from Verizon found that number to be 61%!
This is a huge deal! But many of these security issues can be prevented if you take the time to work with your team to shore up your store and their security practices.
In this article, you’ll learn:
- Top security concerns for ecommerce stores
- Precautions your store can take to prevent a breach
- Ways your team can help reduce security issues
- How to help customers protect themselves
Top Security Concerns for Ecommerce Stores
Ecommerce stores are a prime target for criminals. They are after money, whether it’s through ransomware, using fake credit cards, or data and store breaches.
As mentioned earlier, one common way criminals get access to your store is through weak credentials (easy to crack usernames and passwords). They can also phish employees or customers with authentic-looking emails and SMS.
More sophisticated ways they can take over your store is through the addition of malware via SQL injection and/or by exploiting vulnerabilities in your platform, third-party plugins and integrations.
Precautions to Take For Your Store
While hacker-style attacks, as mentioned above, are something to worry about, as a store owner you also need to protect yourself from fraud.
When it comes to credit cards, you’re likely to experience chargeback fraud from visitors using stolen cards. People use a stolen card to purchase, and then later you end up with a chargeback due to the fraud. Luckily there are apps that can help detect these possible instances as they’re happening.
Another basic precaution is to enable an address verification system and always require CVV for credit cards.
When it comes to shipping and billing addresses, there are two things you can do. Address Verification (AVS) can match on zip only, or you can make it stricter, and have it fuzzy match on the street address too. Address validation (with Google’s service or similar) would be the mechanism by which you could validate that a street address exists within a zip code. The downside is that it does not cover P.O. boxes, and best-practice is to allow user-override.
Depending on your payment processor, you can set up alerts for different actions that can indicate potential fraud.
- Transactions from foreign IPs (especially if you typically only get domestic orders)
- Multiple orders on the same credit card
- One person making multiple orders with different credit cards
- If credit card and billing data don’t match (if billing data doesn’t match, it likely won’t process, but you can flag orders where shipping and billing addresses are different to look into them)
- Customer name and cardholder name don’t match
Many of these alerts can be set up in Shopify. This list above is not the extent of alerts that can be set up, but it can be a starting point.
When it comes to protecting customer data, you should only be collecting what is useful and necessary for the transaction.
For credit card data, to be compliant with PCI DSS you should not store this data on online servers. Credit card processing should be completed over a secure, encrypted connection and completed entirely within the payment processor’s system. Payment gateway integrations with major platforms will comply with this rule. You may store identifying information about your users within your own systems, but it is important to fully understand the implications of taking ownership over this data, managing it securely and handling removal requests from customers.
All data should have some sort of encryption and only specific employees should have access, not everyone. And back up your data regularly! It’s easy to get complacent if you’ve never had any issues. But someone on your team should be responsible for backing up data, if you’re not able to set this up automatically.
For hosted platforms, like Shopify, most of the data lives on the platform and the host (ex. Shopify) is responsible for security. Administrators and employees should access everything by an encrypted connection in their browser. If your site is on a self-hosted platform, like Magento, then you will be responsible for controlling this infrastructure.
Further, here are some actions you can take directly to your store. This includes keeping your site up to date to make sure bugs and vulnerabilities are patched quickly.
All assets and functionality of your store should be served via HTTPS (encryption). Browsers like Chrome give users a warning if they’re about to enter a store that is not encrypted (or partially encrypted), due to security concerns.
Lastly, review all of your plugins on a monthly or quarterly basis. Apps and extensions are vulnerable to attack and since they’re integrated into your store that opens you up to security issues too. If you don’t use an app, remove it as soon as possible.
Security Precautions For Your Team
Not everyone on your team needs access to everything in your store. Keep track of who has access to who and review this regularly. If an employee is no longer working with you, remove their access to everything immediately.
For current team members, ask them to either utilize a complex username and password and ideally, 2-step authentication.
Your team should also be limiting who has access to certain data. Not everyone needs access to order information in your database. Consider who needs access to what data for their day to day duties.
When you’re working with agencies or contractors, provide them with complex usernames and passwords to prevent breaches. As well, you should limit their access to certain information. Do they need to be able to edit Google Analytics or should they just be able to see the data? Things like this should be considered for anyone your team works with.
Lastly, on a random basis you should be testing your team on their security habits. Some organizations go as far as sending fake phishing emails to help see who is likely to fall for something like that and may need some coaching on what to look for or what to do in that type of situation. You don’t want to wait until there’s a real phishing email to see who is susceptible.
Precautions for Customers
Customers luckily don’t need to worry as much about security as your team does. But it’s still important that you help them protect themselves.
This includes requiring that they use strong credentials when creating accounts on the store.
If you happen to sell products that are often knocked off, make sure customers know to purchase from authorized retailers to ensure they’re always getting a legitimate item.
Security is important for any business with an online presence. It’s something that can seem daunting but it’s important that you don’t put it off.
So today, we challenge you to take your first step: get your employees to update their credentials.