For ecommerce retailers, website security is the cornerstone of a successful online business. Why? It's simple: people only want to give their money and their business to companies and organizations that they can trust.
If a retailer has an insecure website, then, all other marketing and inbound efforts simply won't bring results. Here, we run through some basic security practices that all ecommerce retailers should employ to make sure that their website is a secure, successful online destination.
The PCI Security Standards Council is a global group — whose founding members include American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. — formed to develop, enhance and maintain security standards for payment account security.
Together, the members of this group came up with a set of security requirements, known as the Payment Card Industry Data Security Standard (PCI DSS) that all merchants or organizations that process, store, or transmit credit card information must adhere to. There is good reason for this: these guidelines ensure that all stored credit card data is protected and that sensitive information is secure throughout the transaction process.
Many companies meet these guidelines through the use of tokenization:
Tokenization is when sensitive information —such as digits in a credit card number —is replaced by non-sensitive information, or tokens, so that it cannot be read. This is an effective means of encrypting data because it’s extremely secure: the tokenized information can only be detokenized to redeem the sensitive data under strict security controls and the storage of tokens and payment card data must comply with PCI standards, including the use of strong cryptography.
There are varying levels of PCI compliance that is based upon the amount you are transacting. Many ecommerce platforms handle compliance for their merchants. Staying PCI Compliant and ensuring that all stored credit card data is fully tokenized in this way greatly reduces the risk of this sensitive information being stolen and used. Keeping this data secure is extremely important for all online retailers: if cardholder data is stolen, their credit can be negatively affected and they could lose credibility, money, and even their business.
The SSL Certificate — also mandatory per PCI — also works to ensure that the sensitive information that is sent over the internet is encrypted and secure. When retailers or site visitors send information or data over the internet, it gets passed through multiple computers before reaching its destination server. At any point during this chain, it could get stolen if it is not encrypted with an SSL Certificate.
How does the certificate work? It essentially makes all sensitive information —which includes passwords, credit card information, and usernames — unreadable for everyone except the destination server, thereby protecting all communication from eavesdropping and theft.
It is particularly valuable for ecommerce retailers not just for security reasons, but also to build trust with site visitors and prospective customers: attaining an SSL certificate essentially verifies an entity’s credentials, certifying that they are who they say they are and that their site is safe to visit. Depending on which platform you use, some CMS have free SSL certificates included.
Make sure to watch for changes in requirements - such as the recent change from SHA1 encryption to SHA2 encryption - to make sure your company stays compliant.
Hypertext Transfer Protocol with Secure Sockets Layer, or HTTPS, is a protocol to transfer data over the web that should be used instead of HTTP on all pages where data is created. Once again, the issue here is all about encryption. With HTTP, information is not encrypted — instead, it is sent as plain text, which means that anyone can intercept it and read what has been sent.
Further, many customers know about this insecurity and tend to avoid ecommerce websites that use HTTP. This means that keeping HTTP could hurt a retailer's security and their business over time.
It’s important to note, though, that HTTPS isn’t necessary on every page of a website. Why? If retailers try to include it everywhere, it will slow their page load speed and likely hurt their business. Instead, HTTPS should just be used on pages that collect and store data so that site visitors customers can feel secure sending their information. That means skip the homepage, about us page, etc.
DoS and DDOS protection
DoS and DDOS protection work to guard against denial of service and distributed denial of service attacks.
Denial of Service and Distributed denial of service: During both denial-of-service (DoS) and distributed denial of service (DDoS) attacks, attackers attempt to block legitimate users from accessing information or services by flooding a network with requests, thereby overwhelming the bandwidth of the targeted system and preventing legitimate requests from coming through.
While both attacks work in the same way, the key difference is that a DoS attacker usually uses a single computer and internet connection, while a DDoS attacker uses multiple connected devices, making the flood of information that much larger harder to deflect.
There are many ways to protect from DoS and DDoS attacks. The easiest and most expensive way is to buy more bandwidth. Think about it: during these attacks, they’re trying to flood your space, so if you have a ton of space it will be more difficult for attackers to overwhelm you. However, this is a largely impractical solution -especially for DDoS attacks - since in today’s day and age the attacks are just too large to overcome.
However, there are more inexpensive and effective other ways to mitigate attacks. Setting up effective, well-configured firewalls, for example, can prevent this attack traffic from reaching your computer.
Use a Firewall
As the name suggests, a firewall is a hardware or software system that essentially works as a wall or gateway between two or more networks, permitting authorized traffic and blocking unauthorized or potentially malicious traffic from accessing a network or system. Like an actual wall.
It essentially protects what is inside a network from the outside — a.k.a from other networks or from threats on the internet like backdoor and DDoS attacks. Since ecommerce websites have a lot of inbound traffic, they need firewalls to protect themselves against malicious entry.
There are many different kinds of firewalls, but two very effective firewalls for online retailers are application gateways and proxy firewalls. Both function as intermediary programs between two or more networks, meaning that incoming traffic has no direct connection or access to a retailer's network.
With an application gateway in place, there are two lines of communication: one between your computer and the proxy, then one between the proxy and the destination computer or network. It’s essentially a checkpoint that all network information has to stop at. By serving as this middle point, the application gateways help hide and protect your network from others’, only letting in traffic -or packets -that have been authorized.
Proxy firewalls are among the most secure. Why? Like the application gateway, the proxy serves as an intermediary connection. However, they take it one step further -instead of your network connection going all the way through, a new network connection is started at the proxy firewall. This means that there is no direct connection between systems at all, which makes it even harder for attackers to discover your network and get in.
It is important to note that, for a firewall to be effective, it has to be properly configured. What does this mean? Well, firewalls don’t automatically know which traffic is malicious — they need to be programmed with this information. Make sure, then, that whoever sets up the firewall is properly configuring it so that all of the right information gets through.
By staying on top of all these security measures, online retailers can effectively build their customers' trust and their own company's reputability, taking the first steps to ensuring that they have a successful, long-lasting online presence.
Web Application Firewalls
A web application firewall (WAF) watches your HTTPS traffic to your website to prevent harmful traffic. Unlike the other two, WAFs specifically monitor your site for DDoS attacks, SQL injection, malware, and other malicious attacks. WAFs are typically useful for websites containing a ton of content like blogs and landing pages. If you already use HubSpot's Free CMS, WAFs are already built into the platform.
Originally published Apr 19, 2016 1:00:00 PM, updated June 23 2022