Ecommerce websites have one of the most difficult challenges in the web security space – keeping the implicit trust of a customer in order to make them feel safe shopping on the site.
Whether the business started as a local brick-and-mortar shop, or deployed online from the start, it’s easy to design a website and organize content. It’s not as easy knowing how to design a security framework for ecommerce.
In this post we’ll introduce some basic security concepts and how to think about security for your online store.
Security Principles for Online Stores
Think about the tools you’re currently using to power your online shop. Understanding how these tools work is critical to identifying security options and limitations.
For websites running managed stores, like Wix and Squarespace, the server and all its software are proprietary. This means the website owner is not held liable for security configurations, and you pay the service provider a monthly fee for this luxury.
This article is specific to self-hosted stores. This segment of website owners are often deploying a Content Management System (CMS) such as Magento or WooCommerce – or those who maintain a bespoke website that was entirely coded by developers.
I. Reducing The Attack Surface
When you hear “attack surface” we’re referring to all the possible ways that a hacker could potentially abuse your online store. Consider your home – when you leave for the night, you don’t just check the front door, but you verify the windows and back doors are also secure. The same applies when thinking of your online store.
Open-source CMS applications have the benefit of being developed by a team of volunteers that check the code for security flaws. It’s biggest weakness is also it’s biggest strength – its extensible components.
All of the most popular CMS applications are built on a framework that allow additional components in the form of plugins, modules or extensions; all designed to add to the core CMS features. As you deploy your online store, realize that the introduction of any extensible component is inevitable, and will undoubtedly increase the site’s attack surface.
When extending the capability of your website, the number one concern will be software vulnerabilities – specifically how they will be managed and how will you be notified when a vulnerability is disclosed. It’s imperative to engage the vendor and ask them for their protocol on disclosures. You’re not looking for someone that has never had an issue – you’re looking for a vendor that is aware that it could happen and has a plan to address security issues.
Here are some of the questions to ask yourself when considering the extension of your core application:
- Do I really need this component?
- Does the vendor for this component have a plan if a vulnerability is disclosed?
- Are the developers prioritizing security measures?
- Do you have a plan to monitor and apply updates as they are released?
For example, you may decide to take the following actions:
- Choose to leverage core functionality in the place of a third-party.
- If a third-party is your only option, then leverage a reputable source with a proven track record.
- Ensure the ones you keep are reliable, secure, and well supported.
II. Importance of Secure Payments
Making money is the name of the game. If you’re a business, you’re in it to make it. However, it’s important to know who has access to the kind of information needed to process payment, such as credit card details and other personally identifiable information (PII).
Many online stores use a reputable payment gateway, but this doesn’t mean your site is off the hook when it comes to PCI compliance. Your online store will at some point generate some form of commerce, whether it’s a subscription service, goods, or services. In doing so you, will want to pay special attention to the PCI Self Assessment Requirements.
Here are some things to look for:
- What kind of sensitive information are you collecting? (credit cards, passwords, addresses)
- Who has access to this information? Who should?
- If someone accesses this information, are these events recorded?
- If you’re taking payments, is the data protected in transit via SSL?
- Are you storing and monitoring cardholder data properly?
- Do you know what level your business falls under for PCI compliance?
- Are changes to the website being logged (i.e. files, DNS, etc.)
We recommend checking out the PCI Compliance Guide to better understand Requirement 10 of the Payment Card Industry Data Security Standards:
The intent of PCI DSS Requirement 10, then, is to determine the “who, what, where and when” of users accessing your data processing resources:
The importance of monitoring your cardholder data is for non-repudiation, or proof that the integrity of your website is intact.
The Future of Online Stores
The freedom and openness of the web has enabled individuals and organizations all around the world to redefine themselves. When we talk commerce, we’re no longer restricted to the physical walls of our location – but only to the walls of our own imagination. In this virtue however, it’s imperative that we learn from history and start the conversation of security early and often.
This post was intentionally designed not to be a comprehensive guide to security for online stores. Instead it was designed to help provide a basic understanding around the importance of security and how to approach it.
In future articles we’ll be placing more depth and concentration on specific pieces of the security domain as they apply to online stores.
Update: Read our new PCI Compliance guide.
