Shopping season is here, and so is the opportunity for ecommerce site owners to grow their business and generate revenue. In lieu of the changing global ecommerce climate that this pandemic has produced, comes the importance of securing your website to protect your users — and your revenue streams.
Your online customers depend on you to protect their data implicitly. As an ecommerce website owner, you’re required to follow the PCI-DSS compliance requirements to securely handle cardholder information — even if you don’t process the payments yourself. These requirements are governed by the major credit card companies to ensure the secure transmission, storage, and handling of cardholder information.
We’ve outlined some of these PCI requirements for your reference, however PCI compliance violations aren’t the only negative impact you can expect in the event of compromise. Other potential impacts include blacklisting by Google or other authorities, loss of customer trust and brand reputation, and impacts to your website traffic. To lend a hand, we’ve also included a number of steps you can take to improve the security of your ecommerce website.
|That being said, this is not legal advice.
There are many other additional laws, regulations, and guidelines that may or may not be related to your ecommerce website.
Why is Ecommerce Security Important?
Trust is the key to your online business. Getting blacklisted around the holiday shopping can be devastating for any ecommerce website. If a security incident occurs, it can wreak havoc on traffic, revenue, and brand reputation.
Under most circumstances, bad actors don’t manually hand-pick websites to attack since this is very time consuming. The majority of attacks against websites are automated and performed by bots who are looking for websites with known vulnerabilities.
These automated scripts make it easy for hackers to find websites, scan for vulnerabilities, and gain unauthorized access. And small web stores aren’t exempt, either. Criminals are opportunists — they’ll target any accessible websites or server resources.
On top of that, if a merchant is found to be non-compliant with the PCI-DSS, there are a number of penalties & consequences ranging from fines, loss of time, and inability to process payments.
The average cost of a data breach for a small business is $86,500, with enterprise organizations paying 4 million dollars.
Security Principles for Online Stores
The methods you use to secure your e-commerce websites will depend on whether your website is managed or self-hosted.
For websites running managed stores, like Wix and Squarespace, the server and all its software are proprietary — meaning you will not be held liable for security configurations. You pay the service provider a monthly fee for this luxury.
If you’re a self-hosted store, however, you’ll want to pay close attention to the following recommendations.
Reduce Your Attack Surface
With PCI, everything is about reducing the attack surface. For an ecommerce site, this specifically involves the Card Data Environment (CDE) – the manner in which you handle credit cards on your site. Even if you leverage third-party services like Stripe, Recurly, PayPal, or another secure payment option, you have an obligation to follow the requirements as set forth by PCI DSS.
Keeping your website’s attack surface as small as possible is a fundamental first step toward improving your security measures. This means reducing the number of different points that bad actors can enter or extract data from your environment. These can come in the form of insecure credentials, unpatched third-party components, plugins, or extensions, software and CMS vulnerabilities, and even server configurations.
Whenever you add new features or components to your website, you’re also introducing potential for a vulnerability which may be exploited.
Consider every component you’ve added (or want to add) and ask yourself the following questions:
- Do you really need this plugin, theme, or component?
- Does the software vendor have a plan if a vulnerability is disclosed?
- Are there frequent patches and releases, and are the software developers prioritizing security?
- Are there any new patches? Do you plan on monitoring and applying security updates as soon as they are released?
If a third-party component is your only option, leverage reputable sources with a track record of support and forum activity, ensuring that any updates have been made recently, positive reviews, and other credibility indicators that indicate it has not been neglected.
Found some unused plugins, themes, or other software on your website? Not using it? Then lose it! Remove it and you can help reduce your attack surface, making it more difficult for attackers to exploit any vulnerabilities.
PCI Compliance & Secure Payments
If you operate an ecommerce site, PCI compliance is a requirement. Compliance is not dictated by the volume of transactions or restricted solely to storage, transmission, and processing – it applies to any business that accepts credit cards.
To maintain compliance, you’ll need to ensure that your website meets the following requirements as set forth by the Payment Card Industry Data Security Standards (PCI-DSS) Council.
- Requirement 1: Build and Maintain a Secure Network
- Requirement 2: Do Not Use Vendor-Supplied Defaults
- Requirement 3: Protect Cardholder Data
- Requirement 4: Encrypt Transmission of Cardholder Data
- Requirement 5: Maintain a Vulnerability Management Program
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
- Requirement 8: Identify and Authenticate Access to System Components
- Requirement 9: Implement Strong Access Control Measures
- Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
- Requirement 11: Regularly Test Security Systems and Processes
- Requirement 12: Maintain an Information Security Policy
Many online stores use a reputable payment gateway to help process credit card payments and transactions. While this can help you lift some PCI requirements, it doesn’t mean you’re off the hook entirely!
If you want to read more about PCI compliance, our PCI Compliance Requirements guide discusses all of the requirements, risks, and penalties associated with PCI-DSS Compliance.
Ask a few people who operate ecommerce shops and you’ll likely find they fear audits nearly as much as hacks. But when you gain an understanding of what it takes to run a secure online store — and embrace those principles — it offers peace of mind.
You would also gain the type of confidence that your customers’ data is safe and you’re staying on the good side of any regulatory agencies that might drop by. More importantly, taking these steps to ensure that you’re utilizing the best practices towards compliance are also good practices toward a great security posture.