Opinion

Making an ecommerce website secure

Having security in place is way better than recovering from a breach. A multi-tiered protection using varied tools will go a long way in keeping your business safe.

Aditya Anand Feb 06th 2017
Securing an ecommerce website is not same as securing a local store. A physical store can be secured with locks, CCTV cameras, alarm systems, etc.  Contrary to this, ecommerce websites face much more sophisticated attacks. Hackers and fraudsters are always on the lookout for security loopholes in ecommerce sites which could be used to steal valuable data. Invariably, your online assets are at constant risk, unless you have systems and processes in place to secure them. 
Following simple techniques can go a long way in protecting your ecommerce site and therefore, your business.
Choose ecommerce hosting wisely
Are you one of those who are risking it all by choosing a low-cost hosting option?
Market is swarming with low cost hosting options for websites and it’s easy to be tempted to choose from unbelievably cheap hosting options. If you’re on a shared hosting service with hundreds of thousands of other users, then you could end up in a ‘noisy neighborhood’ ones which are rude, anti-social and tend to bring the tone of the neighborhood down. 
Probably the best option for serious ecommerce retailers is a virtual private server. This balances superb, scalable performance with reasonable costs and excellent security customization options. Setting up your server for security is quite straightforward and if you can’t manage it yourself, then usually a reputable host will offer a managed server service for you.
HTTPS is the way
Not very long ago, most website owners would reserve HTTPS hosting to ‘payment links’ of their websites. This was prior to the phase when Google commenced increasing focus on security and started including HTTPs as a ranking factor. Any serious ecommerce player understands the value of SEO ranking and wouldn’t want to compromise on it. To add to this, it is certain that in upcoming releases Google Chrome will label all non-HTTPS pages in incognito mode as “not secure” because users using this mode have an increased expectation of privacy. Invariably, the browsers are going to start penalizing HTTP sites. So, believe it or not, HTTPS is the way to go.
To switch to HTTPS, you need to select an SSL Certificate and start using it on your website. Your hosting provider can bundle it in his offerings to you. You could also purchase one from a reputed SSL vendor. 
Select a secure platform and keep it secure
Once up and running, your site would need to be maintained periodically and supplemented with regular updates and your designers, developers and hosting vendor can support you in the process. But, when it comes to security, you need to own the process. 
Particularly, keep an eye on software provider’s site to check for periodic updates and ensure they are being applied to your site. 
Secure the admin panel
Protect your admin section against obvious attacks. For instance, avoid using default username like ‘admin’. Choose your login credentials wisely. They should be original, and difficult to crack. Next, be selective in providing access to admin panel. You can do this by setting up a ‘Whitelist’ of IP addresses under server administration and permitting only known IPs to access admin panel.    
As a final step, set up unique threshold values, such as number of login attempts, so that the administrator gets notified when certain number of login attempts fail from an unknown IP address. 
Backup key data
Data, as your key business asset, needs to be protected. You cannot afford to leave data backup at the mercy of manual process only. An ideal solution is to have an automated backup facility in your platform which ensures your data is backed up at all times.
Avoid hoarding user card data
Some ecommerce clients lure clients to save their precious time by storing the latter’s card details. As a prudent ecommerce player, refrain from adopting such practices. In an event of data breach when your systems are compromised, you could end up being penalized heavily. 
The best practice is to utilize the services of an authentic payment gateway provider, who have in built capabilities for managing data and keep the payments off your site. If you are operating on low budgets, choosing PayPal can be an optimal solution. 
In the long run, it would be good practice to aim for Payment Card Industry Data Security Standard (PCI DSS) accreditation. Of course, to become PCI-DSS compliant, your website needs to guarantee the integrity of your customer’s financial data and you need to implement strong access control throughout your website.
Use a GeoLocation anti-fraud software
There are instances everywhere of cards being stolen in one part of the world and being transferred electronically at a different geographical location for online frauds. Ecommerce players who remain oblivious of security loopholes may end up losing revenues by servicing fake orders and start picking up chargebacks. 
An effective way to address this is to use a GeoLocation anti-fraud tool. Merchants can use this data to determine the level of risk of any particular transaction.
The algorithm looks at a number of criteria around the IP Address of the order and takes into account popular cloaking methods, such as using proxies and compares this with its database of billions of transactions to create a unified Fraud Risk Score.
If you’re unsure, it gives you the opportunity to either refund the order or run further manual checks.
Create robust security policies 
Incorporating manual, but robust security processes can go a long way in securing your online presence. For instance, let’s take the example above where a freshly arrived order looks like it has a high Risk Score, but it ‘looks’ perfectly fine. 
Your security policies and procedures must immediately be invoked, even if they sound redundant. 
The verification process could involve as simple as tele calling the client or sending him an email to confirm his identity. 
Layered security
A multi-tiered approach to security is a must because there is no panacea to make a site secure. Based on the budget, one can either create a physical firewall or a firewall through a web application. These are first lines of defense to protect against the more prominent and common breaches and hacks, which may include SQL injection or cross-site scripting.
Secondly, one can use a Content Delivery Network (CDN) to boost security. CDNs learn to identify malicious traffic to the website. Moreover, they are able to prevent Distributed Denial of Service Attacks (DDoS), thus being highly advantageous for security. 
Another way to protect from DDoS attack is to use OpenSource Software.
 
The author is DGM, SAARC & ME at GlobalSign
Disclaimer: This article is published as part of the IDG Contributor Network. The views expressed in this article are solely those of the contributing authors and not of IDG Media and its editor(s).