Best Practice for Online Retail Security – Part One

As more focus is put on to internet retailing, we are also hearing about more incidents where e-commerce stores have been compromised resulting in loss of business, information and revenue. A few of these situations actually make it into the media such as the hacking of the Lush UK and Australian websites reported by Power Retail in February 2011. and Roses Only in 2007, which made the headlines when credit card information was stolen from a server.

Every day there are incidents where online stores have information stolen and sometimes the owners of those stores become aware of the breach and sometimes it goes undetected.

Power Retail - RosesOnly
Popular online retailer Roses Only was the victim of a security breach in 2007.

If you own an offline store then without any doubt you will have invested in store security. This investment may be using security sensors and alarms with monitored back-to-base systems. It may include CCTV surveillance of both customers and staff, in store security staff, plain clothes investigators and the list goes on. At the end of each day there will be cash and stock checks, audits, as well as sweeps of the store for any intrusion. Everyone in the retail trade is aware of the need for store security.

So does is it surprising to discover that it is rarely considered as an important issue for online retail stores?

How can an online store be compromised?

There are many ways that hackers can get access to information in an online store that is considered confidential or protected: personal data and financial data might be stolen, order data could be changed, or financial information could be copied by the hacker when it is entered for payment.

The store itself can be made to be inaccessible through attacks like Denial of Service (DOS) or Distributed Denial of Service (DDOS) attacks. These types of attacks can be targeted at a specific website or might be random and affect hundreds or thousands of sites running in a providers systems. DDOS attacks can often be used to look for vulnerabilities on a system or to exploit a known issue that allows a breach of the security system.

Intrusions into website and servers can often go undetected and information might be collected and sent to a criminal organisation or misused over long periods of time.

Often the first time you hear of some of these intrusions is when the bank calls the merchant to tell them that credit cards used in transactions on their website have been used in other illegal transactions. So the credit card numbers have been stolen.

If you store credit card data on your servers using encryption then you can be at risk. Using a payment gateway may not be enough to protect the card data from being stolen. Hackers can install sophisticated software in your web server that can watch as credit card data is input into forms and capture that information for later retrieval.

But it may be personal information stored on your website like names, addresses, email addresses, phone numbers, etc, that is just as much at risk and also has a value to criminals who want to steal identities. Identity theft and fraud is big business in the criminal world.

What can online retailers do?

Power Retail Special Report Payments and Securities
Download the Power Retail Payments and Securities Special Report for a comprehensive guide to protect your e-commerce business.

One of the first areas to go and ask about online security is the hosting provider that you use. Hosting providers will have layers of security that surround the hosting infrastructure and will provide information on security accreditation as an example at Macquarie Telecom.

Do not store credit card data in any way on your web server or in the online store data base. Always use a payment provider or payment gateway that has been accredited by your bank.

Be aware of Payment Card Industry Data Security Standards (PCI DSS) that have been formulated by the Payment Card Industry Security Standards Council. They also provide a Self-Assessment Questionnaire and information about security on their website.

There are some really basic things that your web agency or in-house web support team can do:

  • Make sure that you have a valid SSL certificate.
  • Make sure that the software that you are using is kept patched up to date.
  • Make sure that you have secure firewalls in place and maybe that you are using an Intrusion Detection System (IDS).
  • Regularly scan your systems with a vulnerability checking system like COMODO Hacker Guardian or Outpost24. These scanning systems will not fix vulnerabilities in your systems but they will help you identify areas that need to be fixed.
  • If you use open source software make sure it is regularly checked for potential issues and you can find resources at websites like the Open Source Vulnerability Data Base.

Not all attacks on a website start on the internet. Websites can also be attacked internally so ensure that you have password protected access to your website administration system and to servers and software. Make sure that any wireless internet access inside your business is password protected. If you have a wireless internet connection in your office that is unprotected it is probably also behind the firewall and so a breach of security could occur. If staff leaves your employ then disable their password and change any passwords that might have been shared. You should also ensure that your business has a web security policy.

For Best Practice for Online Retail Security – Part Two, discussing what to do if your online store is attacked and how hackers can be stopped, please click here.

One thought on “Best Practice for Online Retail Security – Part One

  1. Fascinating read – let us get more of these…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

PowerRetail Extra Enewsletter