E-commerce security 101
by November 9, 2023
Please note: This blog was originally published in 2019. It’s since been updated for accuracy and comprehensiveness.
Securing websites is not always an easy task, but when it comes to e-commerce, there are more aspects to consider. Your customers need to trust your company will safeguard their Personally Identifiable Information (PII). You can lose a large chunk of revenue and customers if you betray their trust by not doing your due diligence when it comes to securing your e-commerce website.
General steps to keep your site and customers safe
It’s important to have a general idea of how to keep your site safe. Whether you have an e-commerce store or not, updating your software, keeping strong passwords, and making backups of the site is a must.
It’s important to have a website security framework in place which will provide the basic necessities to build your security posture from. These steps are divided into many categories, but the main functions are to identify, protect, detect, respond, and recover.
PCI Compliance
Five of the major credit card companies have formed a set of Data Security Standards (DSS) for the Payment Card Industry (PCI) which mandates rules for e-commerce website security.
The standards were set to ensure the safety of your customer’s payment information. To keep your site PCI Compliant, you must have a website application firewall, change vendor-supplied default settings, and manage your users who handle payment card data, among other things.
The full list of requirements can be found on the PCI Security Standards Site.
SSL Encryption
Transport Layer Security (TLS) also known as Secure Sockets Layer (SSL) are names you’ll hear often regarding your e-commerce site. These are protocols for transferring data securely over a network, by allowing your website to use the HTTPS protocol.
Encrypting data is hugely important for an e-commerce site. To ensure that credit cards and personal information cannot be stolen by a Man in the Middle (MITM) attack, information is encrypted so that only the intended receiver can interpret the information (with use of public keys) and the certificate authentication provided by the SSL Certificate Authority (CA).
Intrusion Prevention System
If you’ve read through the recommendations in the articles I linked to above, you can see that a website application firewall is not only one of the first standards for PCI compliance, but also a very important part of maintaining general security standards for all sites.
A firewall will prevent intrusions by acting as a filter for incoming traffic to your site. Without a filter, your site is open to all sorts of requests from any IP that comes its way. With a firewall installed, you’ll have the power to block suspicious traffic and malicious activity before it can destroy your brand reputation.
There are multiple levels of firewalls for the layers of traffic on the site. Your host most likely has a firewall for connection to the server, but many hosting plans do not come with a firewall that will protect your site from traffic on Ports 80 and 443 for HTTP and HTTPS traffic, respectively. Be sure that you are leveraging both types of firewalls for optimum protection.
Monitor your site often
Security is not a static state. The threat landscape is ever-changing, meaning we all need to be on top of our game when it comes to checking logs and activities. You can have a firewall and do your best to secure every part of the site, but malware is not typically 100% preventable, and without strict attention to activity logs and modified files, you can be caught unaware and leave yourself open for attack.
Check your logs daily. Have knowledge of what is normal for the site and what is suspicious. Using the Sucuri plugin offers integrity monitoring, as well as activity auditing so that you are alerted to any changes on the site before your site is affected negatively.
Many businesses today receive most of their revenue online. E-commerce sites need to protect their customers — and by extension — their revenue. Take into consideration your website security framework and what you are doing to identify, protect, detect, respond, and recover.
