Creating an e-commerce site is a useful tool in marketing and allows your company to reach its customers in a much more efficient manner than a brick and mortar store.Due to the nature of the platform, there are various security measures that must be implemented to stay secure. This ensures that your company is safe from hackers and attacks and your customers feel secure in using your site for their needs.
There are several steps that website admins/programmers can take to help avoid these breaches. Here’s my list of the top 5 created after speaking with a security analyst:
Do not store sensitive data
There is no good reason to store thousands of records on your customers. Credit card numbers, expiration dates, and CVV2 codes are all unnecessary to store for long periods of time but are gold to hackers if they are. Purge the old records from the database, change your code, and stop storing this data. A minimal amount of data is necessary for refunds and chargebacks; however, the risk of a breach outweighs the convenience for your customers at checkout, and the storage of this data is strictly forbidden by the PCI standards. This is one of the PCI areas where there is no guessing or discussion. Section 3.2:”Do not store sensitive authentication data after authorization (even if encrypted).” It is also a poor choice to make. Think of it in the same way as why not to carry large amounts of cash on your person: if you have nothing to steal, you will not be robbed.
Don’t host multiple sites with your main E-Commerce application
Running an auction site, blog, or user forum is a great way to increase traffic and sales. I don’t discourage this activity at all because it is good marketing to do so. Segregate it from your main site. My source is working a string of cases right now where the initial point of breach is WordPress and it’s associated plugins that are running on the primary E-Commerce server. Additional hosting fees or the cost of launching a VM to run these secondary sites is trivial compared to the costs associated with a breach: Investigation, fees and fines, legal counsel, etc. can all be crippling no matter how ready you are. Move that stuff off to a separate server and decrease your possibility of an attack by limiting attack options.
Patch your systems
This is the basic rule of good system administration: I constantly run into breached sites running a 3-year-old version of PHP or ColdFusion from 2007. The same rules apply to your web apps: Xcart, OSCommerce, ZenCart and any of the others all need to be regularly patched. We all understand that it takes a time to update, and updates can be frequent; however, those updates are for your benefit.
There is a cost involved with this, but the return on investment is very high. Penetration testers will run the same or similar tools that a hacker will run. They will identify the vulnerabilities in your site, and a good one will guide you in correcting the problems. You could purchase roughly 2 years of penetration tests for a cost of having a dedicated team to work a breach for a week. Prevention will always be the most inexpensive option.
Install a Web Application Firewall
This technology has grown by leaps and bounds in the past few year, and, while there is no ultimate defense to prevent a breach, a WAF is a really good start to a comprehensive approach. The real benefit: Modsecurity is free and supports all of the major web servers (IIS, Apache, Nginx). It is not as effective as other pay-for applications, but it is still one of the better programs out there. WAF’s watch inbound HTTP requests to your site for SQL Injection strings, RFI attempts, and known exploits. If it is installed properly, it will stop this traffic before it even makes it to your server.
Now you see the challenges and solutions to issues with creating an e-commerce site, so now let the experts assist you. Find an e-commerce expert who will help you on everything from security to site creation, to finding the best way to store your customer’s information.