From SSL to PCI, here are the absolute basics you need to have covered if you're going to sell products on the Web.
So you've bought a web domain, designed your site, and now all that's left is to start your maketing? Before you go any further, you need to make sure your site is secure, otherwise you could end up with a disaster on your hands. The following is an extract from a blog post originally published on the McAfee web site. It's a handy summary of the basics you should have covered. We thank McAfee for permission to republish it here.
Aside from the legal and cosmetic processes, new eCommerce merchants must take other needed steps to provide customers with a safe and secure site for purchasing goods. Below, we discuss six security related rules online retailers must follow in order to survive.
Backend security basics
As an initial step, firewalls are essential for stopping attackers before they can breach your network and gain access to critical information.
Once that is accomplished, you must also add an extra layer of security to the web applications, or your website itself - meaning contact forms, login boxes, search queries, etc. Web application firewalls will ensure that your ecommerce environment is protected from application-level attacks like SQL injections (Structured Query Language)
and cross-site scripting (XSS)
Encryption is essential
Along the lines of backend security, encrypting sensitive data as soon as it enters your site is another critical step. Whether or not you choose to enlist a third-party payment provider to process your transactions, all other customer data, like passwords and contact information, should be encrypted before being stored in your servers.
Additionally, another level of mandatory protection is SSL (Secure Socket Layer) session encryption
, and should be assigned to all financial transactions. In order to achieve this, you must purchase the SSL certification service and renew it every one to two years. SSL certification is represented by web addresses beginning with “https” and ensures that payment data is encrypted at every stage of a transaction in order to keep it out of the hands of cybercriminals.
Partnering with an outside security vendor is key to preventing breaches, as they can provide vulnerability scanning and additional services to help discover weaknesses you may have otherwise missed. Out of 300 companies surveyed, the average number of vulnerabilities found per website was thirty-five
- imagine how many one without any security could have.
Justifying the additional costs can be difficult in the beginning, but failing to find and patch flaws could result in a much pricier outcome in the long run.
Make sure you are PCI compliant
By incorporating all of the above security measures, your business will already be part of the way through achieving PCI Data Security Standards
(PCI DSS) compliance, which is a necessity for accepting electronic payments.
Pick your payment providers wisely
If you do decide to outsource payment processing, be aware that the responsibility doesn’t stop there. Many new merchants don’t realise that protecting customer financial information and maintaining PCI compliance continues
even after payment processing or other functions are taken over by a third party.
Aside from ensuring that your own business follows PCI DSS, you must also assess the compliance of all outside providers. Even if another company is handling part of or the entire environment, merchants will still be responsible in the event of a data breach. With this in mind, cover your bases by knowing where and how the vendors to which you outsource deal with cardholder data.
Always update your website
Once your site has been established and all of the above measures have been put into place, the final step is maintenance. All too often, merchants fail to keep their websites and all of the supporting software upgraded, which can have some very serious consequences. Failure to update your software could result in a malware infection that can spread to users as well as countless other sites.
Foregoing website updates is not only an issue for online merchants, 20% of Stop Badware’s Compromised Websites survey
respondents also admitted to not updating their software regularly. The update process will differ depending on where your eCommerce site is hosted, but whether it’s using the latest release or an open source platform, you must ensure that everything is up to date.
There are many factors that contribute to the success of an online store, but security is absolutely essential for maintaining it. Failing to provide website security leaves your online store vulnerable to hackers, and even if some data breaches may be inevitable, most are avoidable.