Editor’s note: This post was originally published on 5/20/2015 and updated on 8/6/2018.
Hackers want in. So as a web designer or developer with an eCommerce website, it’s your job to stop hackers in their tracks. You must consider eCommerce website security a top priority to protect customers’ personally identifiable information. An identity thief is on the hunt for credit card numbers, Social Security numbers, and other data considered confidential.
Stop hackers from getting to the goods
So how do you keep customers safe? Start with these 10 ways to protect against hackers and insider misuse:
Don’t collect or save customer data you don’t need
Update your eCommerce solution’s SSL/TLS
Regularly test your eCommerce site for vulnerabilities
Eliminate risky software that jeopardizes eCommerce website security
Protect the perimeter, wherever it is
Correctly configure perimeter defenses
Encrypt all communications that might interest hackers
Trust, but verify
Choose a hosting provider carefully
Wash, rinse, repeat
Let’s go through those in detail.
1. Don’t collect or save customer data you don’t need
Hackers and identity thieves cannot steal what you don’t have. Therefore, do not collect or save any private customer data through your eCommerce solution that is not essential to your business.
When it comes to processing credit cards, use an encrypted checkout tunnel to eliminate the need for your own servers to ever see the customer’s credit card data. This might be slightly more inconvenient at checkout time for your customers, but the benefits far outweigh the risk of compromising their credit card numbers. Also, be certain hackers can’t remotely access any private data you retain.
2. Update your eCommerce solution’s SSL/TLS to encrypt browser communications
You must encrypt communications between the website and browsers when transmitting confidential information. That’s a given. But to stop hackers from cracking the code, maintain current encryption algorithms such as the latest versions of SSL (Secure Sockets Layer) or TLS (Transport Security Layer). Although some refer to TLS as SSL, and there is a technical difference, it’s probably not something you need to worry about. What’s important is that you avoid vulnerable versions of the encryption library.
Test your eCommerce website’s security
Last year, researchers found a serious flaw in SSL 3.0 and 2.0 code vulnerable to the POODLE man-in-the-middle attack. That’s why it’s so important to update. Start by testing your website’s security at Qualsys SSL Labs.
For more tips on keeping current, check out Following flaws to find solutions: SSL tools that make sites more secure.
3. Regularly test your eCommerce site for vulnerabilities
Credit card companies require retailers to test their eCommerce websites to meet certain security standards. But simply meeting these regulations is not enough. Your better bet is to regularly test your eCommerce site to stop hackers from doing any real damage. This includes:
- Regular scanning: Check your websites regularly (including a test of all links) to ensure identity thieves and hackers have not introduced malware into advertisements, graphics, or other content provided by third parties.
- Penetration testing: Consider hiring cybersecurity consultants or ethical hackers to identify vulnerabilities in the code.
- Security apps: Look into web application scanning tools that help identify a variety of vulnerabilities — ranging from identifying Cross-site Scripting (XSS) to finding vulnerabilities inside debug code and leftover source code that could put confidential data at risk.
4. Eliminate risky software that jeopardizes eCommerce website security
Modern web development code, such as HTML 5, will help you eliminate potential vulnerabilities from Java. If you are redesigning or building a new site, opt for the safer choice. While you’re at it, try to eliminate Adobe Flash and other applications that are prone to vulnerabilities when possible. If you must use Java or Flash for legacy applications, make sure you patch the software regularly to ensure you have the most secure version.
5. Protect the perimeter, wherever it is
Today’s network perimeter is ever-changing. As the recent Target breach clearly identified, sometimes the edge of your network exists within the network of your business partner. Often times, retail sites are not only accessible to hackers from the public Internet; they are also accessible through other companies. So what’s a web developer to do? Ensure your links have their own quarantine capabilities.
For example, there should be physical separation between the network that an industrial business partner can access and one that contains confidential customer data. Corporate data should have layered defenses, with each layer having stronger identification, credential, and access management (ICAM) restrictions. However, if you want your network to be hacked — these rules also apply to your eCommerce site. Robyn Lorusso laid out the top 10 rules a decade ago, and they’re just as apt today as they were then.
6. Correctly configure perimeter defenses
Buying a firewall is easy; configuring it correctly requires time and effort. If your eCommerce site is managed by a hosting provider, most likely, your IT staff will not have direct access to the network security infrastructure. That means, you probably have to rely on contract language to address issues of network security. Plus, you must work directly with your provider to ensure regular monitoring and testing of your eCommerce site. Must-have security services for your site, whether you have a hosting provider or host your site yourself, include:
- Data loss prevention.
- Data loss detection.
- Advanced persistent threat detection.
- Intrusion prevention services.
- DDoS protection.
- Reputation defenses.
- Antivirus/antimalware and a fraud management service.
7. Encrypt all communications that might interest hackers
Encrypt your communications with business partners, especially with your credit card processor. You might even consider encrypted email. Reason being, you should never send potentially private data in plain text over the Internet. Why take chances that someone is looking at your private communications? For more on this, particularly for those running Windows Exchange Server 2007 or later, read Use TLS with SMTP to Secure Your Email by Paul Robichaux on Windows IT Pro.
8. Trust, but verify
We would all like to trust our customers, right? But these days, you still have to verify. Therefore, enable an address verification system (AVS), and require customers to input the card verification value (CVV) number for all credit card transactions. Learn more about AVS and how to change security settings or get the full scoop on CVV numbers.
9. Choose a hosting provider carefully
Your hosting provider should be just as invested in your success as you are. Many of the top providers, such as GoDaddy, offer an array of tools and applications to make creating and running an eCommerce site easy and secure. Your safest bet is the hosting provider that:
- Employs at least 128 bit AES encryption (256 bit is better).
- Performs regular backups.
- Keeps comprehensive logs.
- Performs regular network monitoring.
- Provides you with written policies and procedures in case of a breach.
- Provides a single point of contact for security emergencies.
At the very least, providers should be able to explain to you their own emergency procedures in cases of a natural disaster or breach. Otherwise, you shouldn’t feel confident they can assist you should the real deal go down.
Editor’s note: GoDaddy’s Business Web Hosting is optimized for eCommerce sites.
10. Wash, rinse, repeat
Diligence will render hackers and identity thieves powerless. This comes down to three key actions:
- Constant testing of your eCommerce site.
- Immediate attention to problems, fixing them as they occur.
- Monitoring your site to ensure the problems have been eliminated.
Log files offer excellent insights into your site’s security but are useless if you don’t take the time to find the anomalies. Security is an ongoing process, not a one-time fix to pass an inspection. If your site accepts credit or debit cards, you will be required by your card provider to test your network annually, requiring a third-party tester or perhaps a self-evaluation, depending on various considerations. In a addition to these, opt for quarterly tests with ongoing evaluation of log files for intrusion prevention and data loss prevention.
Your customers are relying on you to stop hackers from attacking their website
Your customers should feel confident in your dedication to eCommerce website security. They count on you to take their privacy seriously. Otherwise, it could cost you their business, or worse, if hackers have their way. Just ask the major retailers with recent high-profile breaches on how the public responded to their data security disasters.
Learn about the four types of SSL certificates available.