There are plenty of advantages to e-commerce compared to traditional brick-and-mortar retail. If you want to get into the business of selling something, the costs of entry are much lower on the Web. However, selling things means getting paid, and these days that means accepting credit and debit cards. While card processing in any setting requires measures against fraud and theft, the potential for problems is much greater online. That being the case, here we’ll examine some basic security needs to consider when setting up your e-commerce site.
Understanding the security threats
The first step is to understand the nature of the threat—or threats, in this case:
Denial of service: Denial of service (DoS) or distributed denial of service (DDoS) attacks often make the news when they’re mounted against the websites of large companies or government agencies. Essentially the perpetrators generate a huge volume of queries to the site under attack in a short amount of time. Since a website can only handle so many visitors at once (although that number may be quite substantial), a DoS attack “clogs the channels” and blocks legitimate users from reaching the site. In extreme cases, the attack may crash the site altogether.
Spoofing: One of the tricks in the cybercriminal’s bag is to create a website that mimics a legitimate site. Customers can be directed to the spoofed site in a number of ways, and once they enter their card information for payment, the criminals have it. Small e-commerce sites are particularly vulnerable to this threat: spoofing Amazon would be tricky, as would luring customers to the fake site, but if you’re a tiny Web retailer it’s relatively easy.
Data breaches: A data breach results in the theft of customer information, particularly credit card numbers. You’ve no doubt heard of major retailers—often brick-and-mortar ones—having their servers hacked and millions of card numbers stolen. If companies like 7-Eleven, J.C. Penney, JetBlue, and Dow Jones can fall victim, your site certainly can.
Data manipulation: The alteration of data is less common simply because it serves fewer purposes for criminals, but it can happen, and it will probably result in lots of unhappy customers.
Defacement: The Internet equivalent of having your storefront tagged by vandals, having your site hacked and defaced will disrupt your business and cost you money to have the damage repaired.
The different levels of security available to protect yourself
So those are some of the bad things that can happen. What’s to be done, then? Well, security has three main goals: confidentiality, integrity, and availability.
Confidentiality means protecting data. It concerns itself with problems like data breaches and spoofing. Integrity means ensuring data is and remains accurate, with no additions or deletions. It is focused on problems like data manipulation. Availability means ensuring access for you and your customers. Its goal is the prevention of denial of service attacks and defacement.
Security measures take four specific forms. Authentication proves the identity of a person or site. Your customers will have a user name and password to authenticate their identity once they create an account on your site, for example. You may also have seen certifications from providers like Verisign on websites that you have visited, which are designed to combat spoofing. Such certifications also boost customer confidence. Face it: if you were contemplating a purchase from a website you just discovered 30 minutes ago that sells something really obscure—custom-made lederhosen, let’s say—you might stop to wonder whether the site was legitimate before typing in that credit card number.
Authorization sets limits on what different users of a system can do. Obviously, your customers will not have access to the accounts or data of other customers; their account authorization will only let them transact business on your site. While this might seem silly and self-evident, without appropriate security someone with the right expertise can take the same access any other user of your site would have and access sensitive data.
Encryption protects data during transmission and in some cases during storage as well. One of the most important times is when it is flowing between your site and your customer’s web browser and is vulnerable to interception. Finally, auditing maintains a record of who did what on your site. While less useful for preventing cybercrime, the audit trail helps establish what really happened—for example, what a customer actually purchased in a given order—in the event data is manipulated after the fact. It can also help track the attacker if something does occur.
In the end
The less pleasant news is that there is no simple solution to these issues. Securing an e-commerce site is not like buying an anti-virus software suite for your PC. For example, defending against DoS and DDoS attacks is complicated, and some forms of attack simply can’t be blocked at this time. The bottom line: it’s going to take expert assistance to secure your e-commerce site. Don’t be tempted to skimp or skip it altogether, as a serious attack can literally kill your business. Besides, your credit card processor will require your site to meet minimum security standards.
If you had a brick-and-mortar shop, you would want a burglar alarm, fire extinguishers, and reliable locks. If you happened to do business in a bad part of town, you’d probably want bars or roll-down shutters, too. Your e-commerce site deserves no less protection.
If you have any questions on internet security and how it applies to you, give us a call at 866-949-7267. We would be more than happy to answer any questions to make sure that you are headed in the right direction when it comes to your eCommerce and payment processing security.