Where there is money to be made, criminals are soon to follow. The online retail market is a prime target for cybercrime, especially during the holiday season. Securing customer data and protecting your website from malicious attacks should be at the forefront of your holiday readiness strategy. Yet year after year, we hear about sites getting hacked or sensitive data being stolen from ecommerce sites.
What should you be thinking about now to protect your data — and your customers — from hackers this holiday season?
Use a secure connection for online checkout. Secure Sockets Layer (SSL) certificates authenticate the identity of your business and encrypt data in transit. This protects credit card and other important data while it’s moving across the network, from your ecommerce application to a third party payment gateway, for example. An EV or Extended Validation SSL certificate provides a green bar in the browser, giving customers a visual indication that your site is secure and trustworthy. A logo from a reputable SSL provider on the check-out page will provide customers with peace of mind that the proper steps have been taken to handle sensitive data as it makes it way over the wires.
Set up system alerts for suspicious activity. Set-up alters for suspicious activity, such as multiple transactions from the same IP address or multiple orders placed by the same person using different credit cards or phone numbers. Always check that the order recipient name is matched with a credit card or debit card to avoid suspicious transactions.
Don’t store sensitive data. Allowing customers to save credit card data in their account can make checkout faster, easier, and more convenient. However, companies should never store all pieces of data required to complete the transaction, such as the expiration date or card verification value (CVV). In fact, storing all of this data is strictly forbidden per Payment Card Industry (PCI) standards. Companies should purge old data and retain just enough data for charge-backs and refunds.
Layer your security. Security starts at your ecommerce application. When selecting an ecommerce platform, make sure the administration panel is inaccessible to attackers and stay on top of new versions with security enhancements. When a new patch becomes available, install it immediately, as in the same day. This includes the web server itself as well third-party code like Java, Python, Perl, WordPress and Joomla – these platforms are targets for hackers. A firewall, or multiple firewalls, is an essential part of stopping attackers by preventing them from entering the network where they could access sensitive information.
Monitor your site regularly — and make sure whoever is hosting it is, too. Having a real-time analytics tool on your site is the cyber equivalent of installing security cameras in a brick-and-mortar store. These tools allow you to observe how visitors are interacting with the site in real time, allowing you to detect fraudulent behavior. Whether you’re hosting your ecommerce site in your own data center, or have partnered with a hosting provider, routinely monitor your servers for malware, viruses and other harmful software. At a minimum, scans should be done daily. During high traffic periods, consider increasing the frequency.
Perform regular PCI scans. PCI compliance is not a one-time thing. Staying compliant means performing regular checks to ensure your site is not vulnerable to hacking attempts. Your hosting partner or service provider should be PCI compliant as well. Ask them to show you their certification.
Make sure you have a DDoS protection and mitigation service. Distributed Denial of Services (DDoS) attacks are increasing in frequency and sophistication. Ecommerce sites should turn to DDoS protection and managed DNS services that have the capacity to handle proactive mitigation. Doing so can eliminate the need for significant investments in equipment, infrastructure and expertise.
Make sure you or whoever is hosting your site is backing it up — and has a disaster recovery plan. You can’t recover data you haven’t kept, but the good news is the cost of data storage has decreased dramatically in recent years. Data from multiple servers can be combined on a single storage device and you could benefit from backup/recovery solutions that are bundled into storage appliances. Data that is backed up needs to be secured with the same vigilance as your primary storage devices. Finally, ensure you or your hosting provider has a disaster recovery plan. A fully redundant, highly available architecture is more expensive, but it will ensure that your site remains online even in the event of an emergency.
Educate and train employees. With proper education on laws and policies related to customer security, you can prevent a possible cyber attack. Employees need to know they should never distribute sensitive data or reveal private customer information in chats or other insecure communication methods. Employees should be educated on fishing attempts or other means of fraudulently collecting data that would allow cyber criminals to access data.
Regularly test your e-commerce site for vulnerabilities. Consider hiring cybersecurity consultants or ethical hackers to identify vulnerabilities in the code. Penetration testing can reveal weaknesses in your application, code or architecture and allow you to address them before they are exploited.
Your customers should feel confident in your dedication to online security. They count on you to take their privacy seriously. Otherwise, it could cost you their business, or worse, if hackers have their way. Just ask the major retailers with recent high-profile breaches on how the public responded to their data security disasters.
Dive deeper into how Rackspace is tackling leading security issues in The Evolving IT Security Threat — A Primer.
Download our whitepaper PCI Compliance in Rackspace Managed Cloud to help ensure you have a compliance program in place before a threat impacts your website.