How to Protect Your eCommerce Site from a Data Breach

How to Protect Your eCommerce Site from a Data Breach

8th Feb 2018

The news frequently reports stories about hackers gaining access to credit card data for tens of thousands, sometimes millions, of consumers. The Target data breach of a few years ago cost the company over a quarter of a billion dollars. Small to medium size enterprises, in particular, have a lot to lose if a data breach occurs in their organization.

Hackers continually refine their methods, and there are so many types of attacks and vectors that business owners have a difficult time determining what do to. Technology changes quickly, offering new and better ways, such as tokenization, to help you protect your business.

You need to educate yourself as to the nature of the problem, types of attacks, and possible prophylactics available to protect your company from someone stealing your customer’s data.

Payment Card Industry Standards (PCI)

According to PCI standards, credit card numbers cannot be stored on a retailer's POS (point-of-sale) terminal or anywhere else after a transaction. For enterprises to remain PCI compliant, companies must invest in expensive equipment unless they take advantage of some of the new tokenization technology available.

Cards

Denial of Service

A denial of service (DoS) or distributed denial of service (DDoS) attack occurs when a hacker floods your router with traffic from different sources until the router becomes overloaded and fails. This will slow or disable your website and discourage customers from using your site.


Injection Attack

Many systems have vulnerabilities to injection flaws. Crooks inject programs or untrusted data into your website and trick your system to access data or execute commands. This can cause not only data loss, but also file corruption, deny access to your site or data, and cause your system to crash.

Crime

Cross-Site Scripting (XSS)

Cross-Site Scripting, also known as XSS, can have devastating consequences to your enterprise. It is one of the most common types of attacks that can have a significant impact on your website’s reputation. Hackers target user sessions. If they can do so successfully, they can change your site, insert content, institute malware attacks, and, of course, steal data.


Authentication

Authentication attacks are some of the most common ways criminals access your client’s data. Utilizing brute force, cyber crooks continually try logging in rapidly to your server. These types of attacks may involve attacking session IDs that keep track of users. A session ID can be used to impersonate someone and gain access to other accounts like Google or Twitter.

These attacks exploit weak passwords, exposed accounts, or other flaws. For example, there may be flaws in logout functions, password management, account updates, timeouts, or in other areas of your system.


Security Misconfiguration

If someone mistakenly misconfigures a security setting, a frequent mistake, criminals can exploit that weakness and gain access to your servers and the data it holds. Once they do so, stealthy hackers can, over time, carefully steal or modify your data without anyone knowing about it.

This type of attack reportedly was used on former Secretary of State Colin Powell’s email server, which—allegedly—criminals had access to for several years.

Traditional Methods of Protection

There are traditional methods of protection that can assist businesses to protect their websites from unauthorized access and exploitation. Some of these require drafting, implementing, and monitoring policy to help secure your site. Others require more robust technical measures to help keep your eCommerce site safe.

Policy

One of the most important things you need to do is require strong passwords using a minimum of six or more characters, including letters, numbers, and symbols. The longer and more complex the password, the better.

Enforce security training for all employees to help better protect your eCommerce site. Include discussions on the importance of maintaining strict control over sensitive data by never emailing it, sending it by text, or discussing it during a chat session.


System Settings

Ensure your IT section sets up and receives system alerts for suspicious activity. Things like multiple orders by the same person using a different credit card or phone number should be flagged.


Choose the Right Platform

Enterprises must choose the right eCommerce platform. Do your research and find one that has good user ratings for security. Things like secondary authentication and object-oriented programming languages will help keep your site more secure.


PCI Compliant

Ensure your checkout system is PCI compliant. You should use EV SSL (Extended Validation Secure Sockets Layer) authentication. The SSL security seal will give your customers peace of mind, too.

Remember that part of PCI compliant means you do not store customer credit cards, expiration dates, and other sensitive data.


Firewalls and Layered Security

Use the strongest firewall protection you can find. In addition, make sure you layer your security.


Monitoring

Always include a real-time analytics tool as part of your cyber security program. Monitor your site often. Set up phone, text, and email alerts to warn you immediately of suspicious activity.


Tracking Numbers

Always use tracking numbers. This will minimize chargeback fraud.


Backup and Disaster Recovery

This is the most important action you can take to protect your business. A weak disaster recovery plan can have devastating financial consequences. Make sure you have a secure data backup and recovery operation in place.

Tokenization

Tokenization has become a crucial method of protecting your eCommerce site from a data breach. The process of tokenization replaces your sensitive data with tokens. The tokens have unique identification symbols containing all the essential data without compromising its security.

This has become a great way, particularly for small and medium-sized businesses, to significantly and quickly enhance the company’s eCommerce website. It is simple, yet effective.

Using tokenization also minimizes the hassles associated with trying to comply with industry and government standards and regulations. These rules are complex and can require significant expenditure to remain compliant.

For example, there is a PayPal Credit Card Tokenization extension that allows your customers to save their payment information, yet still lets you remain PCI compliant. You can set up payment options, too, for your customers, using the credit card information provided at the time of purchase, yet not store the card information anywhere that hackers can access.

Final Thoughts

Understanding the problem and the vulnerabilities, and knowing processes and procedures you can put in place to mitigate your potential for a data breach, will help keep your eCommerce site safe. Review your current security setup. Stay abreast of current technologies like advances in tokenization, and protect your business.