In some ways, an online store might seem safer to the owner than brick and mortar businesses. After all, no one can march into it (wearing a creepy mask) and demand all the cash in your register. On the web, threats aren’t so obvious — which makes them sinister on a different level. If you slack on e-commerce security, you don’t just risk losing your own money — you compromise your customers’ sensitive information as well.
If you’re new to online business and are wondering how terms like “SSL” and “Encryption” pertain to you, read on. You’ll find out the basics of e-commerce security and understand the steps you need to protect yourself and your customers on the web:
Understand Your Enemy
In order to secure your site, you should know what you’re protecting yourself against. Some common threats to e-commerce are:
- Trojan Horses/Trojans: Malicious programs that hackers use to steal information. Once installed, the Trojan gives hackers remote access to the computer and valuable data like passwords and credit card information can be stolen. Trojans can infect your web server directly, or infect your local computer and access FTP or other access details for your web server.
- DoS Attacks: DoS (Denial of Service) attacks flood web servers with fake data, using all available resources and slowing or crashing the site.
- Script Injection: These attacks include Cross Site Scripting (XSS) and SQL Injection. Hackers insert special code into web forms, which allows them to retrieve or make changes to sensitive data.
- Price Manipulation: Attackers manipulate the code on a site’s webpages to change the amount payable for shopping cart items.
- Viruses: After countless hours put into building and maintaining a website, viruses act like tornadoes and corrupt or destroy the data in the blink of an eye. Viruses are less likely to be an issue for websites hosted on Linux servers.
Put Up Your Defenses
Now that you better understand what you’re up against, here are some steps you should take to build your defenses against attack:
- Get an SSL Certificate for pages that transfer information: SSL (Secure Sockets Layer) certificates are a vital first step to securing your site. SSL works by encrypting, or “jumbling up” information being sent. The recipient computer has the only “key” to un-jumble the information and make sense of it, so no one else can access the sensitive information while it is being transmitted. Several companies offer SSL certificates for various prices, including VeriSign, GoDaddy, and DigiCert.
- Put up firewalls: Web Application Firewalls (WAFs) are programs that protect your site from malicious attacks like XSS and SQL Injection (see #3 above). Research various firewall programs and discuss with your developer/hosting company which option provides an adequate level of protection for your needs.
- Make your code secure: One of the most common ways hackers gain access to a website is by exploiting an insecurity in a web form. They can then use this insecurity to upload malicious code to your website, or access sensitive data in your database.
- Watch permissions: Ensure that hackers are not able to access your website by changing files with public write permissions. (Your web programmer can help ensure files and folders do not have public write permissions.)
- Don’t forget about the database: Even after the transaction has safely gone through, you still need to protect your customers’ information if it was stored in a database. A common way to protect this data is with encryption, which works the same way as SSL encryption by jumbling up information that can only be unlocked by a certain “key.” When developing your site, make sure your developer knows you want sensitive data in the database to be encrypted.
Keep in mind that the above tips are only a few basic security precautions. You should consult with your developer and/or web hosting company to ensure that your ecommerce website is kept secure.
Mandy Barrington is the lead web designer for RYP Marketing, a Virginia internet marketing company specializing in web design, search engine optimization, paid search marketing, conversion optimization, social media marketing and more.