The holiday shopping spree is swiftly approaching, and customers will soon browse your site to find the perfect gifts for their friends and loved ones. Unfortunately, it also is the season where eCommerce sites find themselves the targets of opportunists looking to steal customer information.
With data breaches at major retailers making the news, focusing on data security isn’t just a smart business move, it’s good PR. Whether you use hosted eCommerce solution or you’ve developed one on your own, here are five key points to remember about consumer data security.
Use A Trusted SSL Certificate
If you’re processing payments through your site, you’re using some form of SSL, or data encryption, to protect that information. Unfortunately, not all certificates are created equal. Google’s recent announcement that they would give a slight ratings boost to sites that use SSL meant that new, untested companies entered the market to attempt and cash in on the increased demand.
For your payment system, it’s best to stick with a trusted SSL supplier, one that has experience in the market as well as clearly defined accountability. While it’s easy to assume that a higher price certificate will be more secure, a better indicator will be how much the company is willing to stand behind their product. If a provider is not willing to accept liability for damages, consider finding an alternative.
Control Administrative Access
One of the easiest ways to make you site more secure is to control administrative access. Everyone who accesses the site should have a unique login, and what they are capable of doing on the site should be carefully controlled and monitored.
For smaller companies, it’s tempting to create a general user administrative account and share it with everyone working on the site, but each employee who knows the password is another potential avenue for the criminal to exploit.
One common tactic is to infect an employee’s computer with a keylogger, a program that records what someone types into their computer, and what is showing on the screen, and use that to gain access to the sites. If every staff member has a unique login, you can revoke access just for the compromised account rather than forcing everyone to learn a new universal password.
By limiting who can access sensitive data, as well as having each user accountable for their own login, you can make it a lot harder for most criminals to gain any useful data even if they do manage to steal a user name and password.
Limit Customer Data Storage
Another simple way to make data breaches less likely is to limit the amount of customer data stored on your servers. This is the information criminals are looking for, and so if you don’t have it available, you become a much less attractive target to them.
Find out exactly what customer information is currently being captured by your website, how much of it is stored directly on your servers, and how long that information remains there. While most sites don’t require personal information, a surprising number of platforms capture this data automatically, even if the webmaster never utilizes it.
Credit card information, expiration dates, and security codes should never be stored on your server and instead should be passed directly through to whatever service you utilize to manage credit card processing. These processing sites spend a lot of money protecting that data and often assume full responsibility for any breaches.
If you any personal information stored on site, make sure that you’re utilizing strong encryption and that only those who absolutely need access to this information have the ability to decrypt it.
Keep It Protected
If a criminal can’t gain access to financial information by stealing an administrative password or using a non-secure exploit, they may try a “brute force” attack. These Denial Domain Of Service (DDOS) attacks attempt to overwhelm your server by submitting thousands of requests every second hoping find an error to exploit when the server crashes and starts to reboot.
Common targets of a DDOS attack include customer login screens, email subscription lists and contact us forms. Adding a Captcha is a simple way to make these forms of attacks more difficult.
There are several programs that will monitor the number of requests your site is receiving and alert you to any unusual activity. When paired with a strong firewall, this allows the server to identify and deny service to most known methods of attack.
Security isn’t something you can finish and walk away from. Software isn’t static and criminals will always find new exploits and increasingly sophisticated tools to leverage against your site.
If you’re using a hosting solution to manage your site, find out how quickly they apply security patches and other updates when they become available as well as how often they perform an audit of their security measures.
If you’re hosting your own service, these updates and patches should be a priority, and you should also consult with a digital security firm to audit your site’s defenses on a regular basis.
Finally, make sure that you have a plan in place in the event that your site is targeted, along with secure backups your webmasters can use to restore compromised code. When someone uses your store, they entrust their personal data to you. Making their security a priority will help create goodwill with your shoppers as well as help strengthen your site against anyone who wants to profit off of it illicitly.