Don’t Get Hacked! 4 Steps to Secure Your Ecommerce Site
You’re responsible for your customer’s data.
Don’t screw up!
Every ecommerce platform has its own strengths and weaknesses, especially when it comes to security. This article can be a helpful resource, whether you’re trying to choose your first platform, weighing options for re-platforming, or just trying to figure out how safe your current online store is.
In this post you’ll learn:
But first, let’s look at some stats.
Ecommerce Security Stats
In 2014, 60% of breaches in Retail were ecommerce related. Technology and Entertainment also boasted a high ecommerce breach percentage.
Check out the full breakdown from Trustwave:The last thing you need for your store is a major security breach resulting in identity theft. It would not only result in a dramatic loss of customers, but also have a long-lasting and negative effect on your brand.
That’s a worse-case scenario, but a valid concern. Remember Target’s recent data breach fiasco?
They’re still feeling the burn of the negative brand effects, not to mention that the entire mistake cost the company approximately $146 million in insurance and reimbursement fees.
To protect your company from experiencing any security breach, you first need to understand why it’s your responsibility.
What’s more secure?
Having an open source platform ensures that, as a store owner, you can get your store design and user experience (UX) exactly how you want it. We recently interviewed one entrepreneur who chose an open source solution, Spree Commerce, so his in-house Ruby on Rails developer could use it as a foundation to build the sole feature that sets them apart from their competition: it’s search function.
Open source or fully-hosted?
WooCommerce and Magento Community Edition are other open source solutions that are quite popular. WooCommerce holds an impressive 7% share of the ecommerce platform market, and Magento Community Edition boasts a 13% share.
So, what’s the downside of an open source platform? The responsibility of running and maintaining the technical aspects of the store fall on you.
You’re responsible for customizing.
You’re responsible for integrating apps.
You’re responsible for troubleshooting when something technical goes wrong.
You’re responsible for finding a hosting solution.
And, if you’re accepting payments online, you’re responsible for making sure your store is PCI compliant (read: secure).
Sound like a lot? It is.
Many founders choose to launch with a fully-hosted ecommerce platform to avoid managing such responsibilities.
That’s why platforms like Shopify, BigCommerce, and Demandware also have a large share of the platform market. The difference in these solutions, compared with the open source platforms, is that you’re responsible for much less.
They host your store.
They ensure that your transactions are PCI compliant.
They consistently monitor and test networks to ensure they’re secure.
And you’re responsible for paying them.
Don’t Be A Rookie – Implement Basic Security Measures
Regardless if you’re on an open source platform or are paying for a fully-hosted solution, there are 3 basic security measures that are necessary for your online store.
If you’re hosting your own store, it’s obviously your responsibility to implement these solutions.
1. An up-to-date SSL Certificate
If you are selling anything online, an SSL Certificate should be implemented from Day 1. Your SSL Certificate basically creates a secure connection between a browser and a server. Without one, that data being transmitted is fair game for anyone.
This graphic gives a basic explanation of how an SSL Certificate works:
If you have one successfully implemented, you’ll see it in your URL. The “s” in the “https” portion of your address means “secure”.
Depending on what browser you use, these URLs will be displayed differently, but some feature a “lock” icon so that users (customers) know it’s a secure connection.
Take a look at Shopify’s URL display in Chrome:
2. A safe payment gateway
Next, choose a safe payment gateway. Launching an online store is something you can do in a month, but the moment you begin accepting other people’s information, you’re operating on a whole new level.
At Blue Stout, we prefer to develop with Stripe because it’s incredibly easy to implement and they handle all the PCI compliance issues you can imagine.
It has similar fee structures to other payment processors, but the difference is that Stripe automatically sends your customer data to Stripe. This means:
- You’re automatically PCI compliant, because you don’t handle any sensitive credit card data on your servers. (A bonus if you’re using an open source solution and are worried about PCI compliance!)
- Your site is more secure, because a breach of your servers won’t result in any stolen credit card data.
- You’re not tempted to store credit card data on your servers, which you shouldn’t be doing unless you’re a big business and want to pay for PCI compliance. (source)
Once you’ve selected a payment provider, you should always display their security seal. Stripe, like most other payment providers, offers badges for owners to display on their stores.Badges like these offer your customer perceived security – something visual to connect their security with. It makes them feel safer to purchase from a store when they can see its verification.
In fact, 61% of shoppers say that they have decided not to purchase a product because the checkout was missing a trust seal.
Take advantage of these psychological and visual channels. They could increase your conversion rates significantly.
3. Regular updates & patches for your store
When you’re using a third-party solution, it is crucial to consistently update to the newest, most recent version.
For example, if your site runs on WooCommerce, you have the option during setup to specify whether you want it to update automatically or manually. If you choose manually, then you are responsible for creating a backup of your site should something go wrong. (There come those responsibilities again!)
You’re also responsible for making sure all of your plugins are up-to-date and that you have the latest versions installed. This is what your WooCommerce site platform would look like when you need updates:To take this off your plate, most fully-hosted solutions will automatically update their software, but inform you beforehand that they will do so and what changes to expect.
If you are running your store on an open source solution, you (or your developer / development team) will need to stay up-to-date on any patches released. Your software may be outdated, and as hackers are constantly developing new ways of breaking into secure environments, any holes found in old software could turn into a huge data breach.
For example, earlier this year there was an issue found with the Magento CE and Enterprise software. The issue allows an attacker to remotely execute code on Magento software using a specially crafted request.
Since new hacks like this are always occurring, it’s necessary to constantly monitor your platform support network to see what updates and patches have been made available. If you wait even one day to install a patch or update your software, your sensitive data could be at risk.
4. Don’t Choose Ignorance – Get Educated!
Developing awareness of security requirements for online stores is the first step in building a trustworthy business.
Though you may not understand the technicalities of secure connections and software patches, understanding the overall idea of ecommerce security and how it impacts your customer is knowledge that will arm you to make better business decisions.
Here are a few resources for popular platforms where you can keep tabs on updates:
- Magento Security Center
- Shopify Updates
- Spree Commerce Upgrades
- BigCommerce Developer Help & Support
- WooCommerce Development Blog
Always research your third-party integrations, too, as they surely will have their own updates and patches.
Securing your transactions is a top priority in ecommerce operations and any slip-up can cost you big-time.
Hopefully, you never have to deal with this situation. Comment below if you have any other security recommendations not mentioned in this post!