15 Ways to Protect Your Ecommerce Site From Hacking and Fraud
Hackers are stealing credit card and other sensitive information from ecommerce sites. To protect (and reassure) your customers, it's imperative to know how to protect your ebusiness and your sensitive customer data. Ecommerce and security experts share 15 tips on how you can prevent fraud and keep your site safe.
Wed, June 19, 2013
CIO — It seems you cannot go a day without hearing about someone or some group hacking a website or stealing credit card and other sensitive data from ecommerce sites.
So how do you protect your ecommerce site from being hacked and sensitive customer data from being stolen? CIO.com asked dozens of ecommerce and security experts to find out. Following are their top 15 tips for protecting your ecommerce site from hacking and fraud.
1. Choose a secure ecommerce platform. "Put your ecommerce site on a platform that uses a sophisticated object-orientated programming language," says Shawn Hess, software development manager, VoIP Supply.
"We've used plenty of different open source ecommerce platforms in the past and the one we're using now is by far the most secure," Hess says. "Our administration panel is inaccessible to attackers because it's only available on our internal network and completely removed from our public facing servers. Additionally, it has a secondary authentication that authenticates users with our internal Windows network."
2. Use a secure connection for online checkout--and make sure you are PCI compliant. "Use strong SSL [Secure Sockets Layer] authentication for Web and data protection," says Rick Andrews, technical director, Trust Services, Symantec.
"It can be a leap of faith for customers to trust that your ecommerce site is safe, particularly when Web-based attacks increased 30 percent last year. So it's important to use SSL certificates "to authenticate the identity of your business and encrypt the data in transit," Andrews says. "This protects your company and your customers from getting their financial or important information stolen." Even better: "Integrate the stronger EV SSL [Extended Validation Secure Sockets Layer], URL green bar and SSL security seal so customers know that your website is safe."
"SSL certificates are a must for transactions," Hess agrees. "To validate our credit cards we use a payment gateway that uses live address verification services right on our checkout," he says. "This prevents fraudulent purchases by comparing the address entered online to the address they have on file with their credit card company."
3. Don't store sensitive data. "There is no reason to store thousands of records on your customers, especially credit card numbers, expiration dates and CVV2 [card verification value] codes," says Chris Pogue, director of Digital Forensics and Incident Response at Trustwave.
"In fact, it is strictly forbidden by the PCI Standards," Pogue says. He recommends purging old records from your database and keeping a minimal amount of data, just enough for charge-backs and refunds. "The risk of a breach outweighs the convenience for your customers at checkout," he says. "If you have nothing to steal, you won't be robbed."