20 tips on eCommerce web site security

Need :  One of my primary sources of fear is that fraud seems to be all around us. When we hear of the websites of the best of companies getting hacked all the time, I know that I am small fry. Be it Sony or Google, just to name two tech giants, both have been the targets of hacking. If they could not protect themselves, how will I? I think that I am not alone in my fear. The fact that I am an eCommerce professional not withstanding, I fear that someone somewhere wants to defraud me.

Without trust, most prudent business operators and clients may decide to forgo use of the Internet and revert back to traditional methods  of doing business. To counter this trend, the issues of network security at the eCommerce and customer sites must be constantly reviewed and appropriate countermeasures devised. These security measures must be implemented so that they do not inhibit or dissuade the intended e-commerce operation. This paper will discuss pertinent network and computer security issues and will present some of the threats to e-commerce and customer privacy. These threats originate from both hackers as well as the eCommerce site itself.

A straightforward comparison could be made of the security weaknesses in the postal system vs. security weaknesses on the Net. The vulnerable spots in both cases are at the endpoints – the customer’s computer/network and the business’ servers/network. Information flowing in the conduit (trucks/planes and wires) is relatively immune to everyday break-ins. Privacy issues are amongst the major drivers for improved network security along with the elimination of theft, fraud and vandalism. Two major threats to customer privacy and confidence come from sources both hostile to the environment as well as sources seemingly friendly.

Many of the issues and countermeasure discussed here come from experiences derived with consulting with clients on how to maintain secure e-commerce facilities. These methods and techniques can be useful in a variety of client and server environments, also serving to alert eCommerce users of potential threats.

Even one hour of downtime due to a website outage or a malicious attack can have significant impact on a retailer's reputation and revenue, especially during the holidays, a time which the National Retail Federation says can add up to 40 percent of an online retailer's annual revenue. With some large e-commerce sites earning millions each day during the holiday season, even a few minutes of downtime can lead to financial losses in the tens of thousands of dollars, not to mention customer frustration.

With the stakes so high, internet retailers need to adopt a 360 degree approach to security during the holiday season, and year-round ideally. Luckily, there are steps they can take to ensure this. It seems you cannot go a day without hearing about someone or some group hacking a website or stealing credit card and other sensitive data from ecommerce sites. So how do you protect your ecommerce site from being hacked and sensitive customer data from being stolen? Let’s understand how ecommerce and security experts do it. Following are top 15 tips for protecting your ecommerce site from hacking and fraud.

1. First, prepare for the worst, plan for the best. To ensure website availability and security, online retailers must prepare for the worst through escalation and incident response planning by outlining standard operating procedures for downtime, including establishing and training incident-response teams. They should also monitor their site diligently to determine service health and identify anomalies quickly and accurately, as well as provide failover to back-up IP addresses to ensure the site is always available.

2. By improving your infrastructure is important. Optimize the scalability and performance of your internet infrastructure with demonstrated management of the increased traffic load coming your way during the holiday shopping season. Whether you manage your site internally or through a vendor, a track record of maintaining satisfactory service levels during the rest of the year may not be a reliable indicator that service levels can be maintained during the peak holiday traffic season. If scalability and performance of your infrastructure are not optimized, it could damage your sales revenue and reputation at the worst possible time.

3. Platform Selection : Most important is to choose a secure ecommerce platform. Put your ecommerce site on a platform that uses a sophisticated object-orientated programming language. Many of my clients used plenty of different open source ecommerce platforms in the past and the one we're using now is by far the most secure. Starting with administration panel which is inaccessible to attackers because it's only available on our internal network and completely removed from our public facing servers. Additionally, it has a secondary authentication that authenticates users with our internal Windows network.

4. Secure Connections : Use a secure connection for online checkout--and make sure you are PCI compliant. Use strong SSL [Secure Sockets Layer] authentication for Web and data protection.  This can be a leap of faith for customers to trust that your ecommerce site is safe, particularly when Web-based attacks increased 30 percent last year. So it's important to use SSL certificates "to authenticate the identity of your business and encrypt the data in transit, This protects your company and your customers from getting their financial or important information stolen. Integrate the stronger EV SSL [Extended Validation Secure Sockets Layer], URL green bar and SSL security seal so customers know that your website is safe. SSL certificates are a must for transactions. To validate our credit cards we use a payment gateway that uses live address verification services right on our checkout, This prevents fraudulent purchases by comparing the address entered online to the address they have on file with their credit card company.

5. Scrap data outright which is no needed for future use.  Don't store sensitive data. There is no reason to store thousands of records on your customers, especially credit card numbers, expiration dates and CVV2 [card verification value] codes, In fact, it is strictly forbidden by the PCI Standards, We recommends purging old records from your database and keeping a minimal amount of data, just enough for charge-backs and refunds.  The risk of a breach outweighs the convenience for your customers at checkout, If you have nothing to steal, you won't be robbed. As simple as that.

6 DDoS : Don't forget about DDoS. With the increase in size and complexity of distributed denial-of-service (DDoS) attacks, companies should consider leveraging upstream service providers to protect both Web servers and DNS. If either goes down, a company could be out of business. A cloud-based approach to both DNS management and DDoS protection provides a cost-effective alternative to maintaining uptime.

7 Security Best Practices / Measures: Make sure to implement security best practices by partnering with a security provider for holistic support. Not all ecommerce sites can develop an internal cyber intelligence capability. Security service providers can help to quickly identify and understand the various security incidents and their implications, determine effective mitigation and remediation tactics, and develop a clear plan to enhance security. For the holiday season in particular, online retailers should take advantage of holistic services that are designed to help protect e-commerce sites during the peak online shopping season. Delivered via the cloud, such services combine fully reliable DNS resolution and DDoS attack protection to support critical Web-based systems and reduce the risk of downtime.

8. Employ an address and card verification system. "Enable an address verification system (AVS) and require the card verification value (CVV) for credit card transactions to reduce fraudulent charges

9 empower user with strong passwords :. Require strong passwords. While it is the responsibility of the retailer to keep customer information safe on the back-end, you can help customers help themselves by requiring a minimum number of characters and the use of symbols or numbers, longer, more complex logins will make it harder for criminals to breach your site from the front-end.

10. Set up system alerts for suspicious activity. Set an alert notice for multiple and suspicious transactions coming through from the same IP address. Similarly, set up system alerts for multiple orders placed by the same person using different credit cards, phone numbers that are from markedly different areas than the billing address and orders where the recipient name is different than the card holder name.

11. Multi Layer security. One of the best ways to keep your business safe from cyber criminals is layering your security. Start with firewalls, an essential aspect in stopping attackers before they can breach your network and gain access to your critical information. Next, add extra layers of security to the website and applications such as contact forms, login boxes and search queries. These measures will ensure that your eCommerce environment is protected from application-level attacks like SQL (Structured Query Language) injections and cross-site scripting (XSS).

12. Provide security training to employees. developers , Employees, operators  need to know they should never email or text sensitive data or reveal private customer information in chat sessions as none of these communication methods is secure. These managers also need to be educated on the laws and policies that affect customer data and be trained on the actions required to keep it safe. Also we could use strict written protocols and policies to reinforce and encourage employees to adhere to mandated security practices.

Employee training is crucial as is an ongoing effort to build security compliance.  Today’s enterprise is under constant attack, there’s simply no denying that. And there has never been a more important time to have timely and actionable insight into what’s going on. It takes diligence and commitment for an organization to maintain a secure defense, especially when running an e-commerce store.

13. Use tracking numbers for all orders. To combat chargeback fraud, have tracking numbers for every order you send out. This is especially important for retailers who drop ship.

14. Monitor your site regularly-Internal & externally  :Make sure whoever is hosting it is, too. Always have a real-time analytics tool, It's the real-world equivalent of installing security cameras in your shop. Tools like Woopra or Clicky allow you to observe how visitors are navigating and interacting with your website in real time, allowing you to detect fraudulent or suspicious behavior. With tools like these we even receive alerts on our phones when there is suspicious activity, allowing us to act quickly and prevent suspicious behavior from causing harm. Also, make sure whoever is hosting your ecommerce site regularly monitors their servers for malware, viruses and other harmful software .

Ask your current or potential Web host if they have a plan that includes at least daily scanning, detection and removal of malware and  viruses on the website.

15. Perform regular PCI scans. Perform regular quarterly PCI scans through services like Trustwave to lessen the risk that your ecommerce platform is vulnerable to hacking attempts, if you're using third-party downloaded software like Magento or PrestaShop, stay on top of new versions with security enhancements. A few hours of development time today can potentially save your entire business in the future.

16. Patch your systems. Patch everything immediately--literally the day they release a new version. That includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for attackers. Breached sites are constantly found running a three-year-old version of PHP or ColdFusion from 2007, So it's critical you install patches on all software Your Web apps, Xcart, OSCommerce, ZenCart and any of the others all need to be patched regularly.

The cloud approach will help [eCommerce businesses] trim operational costs while hardening their defenses to thwart even the largest and most complex attacks. In addition, a managed, cloud-based DNS hosting service can help deliver 100 percent DNS resolution, improving the availability of Internet-based systems that support online transactions and communications.

17. Consider a fraud management service. Fraud does happen. And for merchants, the best resolution is to make sure you are not holding the bag when it does. Most credit card companies offer fraud management and chargeback management services. This is a practical approach to take because most security experts know there is no such thing as 100 percent safe.

18. Regular Backup : Make sure you or whoever is hosting your site is backing it up--and has a disaster recovery plan. Results from a recent study by Carbonite revealed businesses have big gaps in their data backup plans--putting them at risk for losing valuable information in the instance of power outage, hard drive failure or even a virus. So to make sure your site is properly protected, back it up regularly--or make sure your hosting service is doing so.

19  Data Security :Research uncovers 89% of attacks continue to target your customer records. With data as the lifeblood of all organizations, it's no wonder securing intellectual property and meeting compliance requirements continue to be a challenge. For every business challenged by increasingly complex threats, Choose a good data security solutions to keep it simple so you can keep growing. With Data Security offerings you gain good content protection and control throughout your entire enterprise – from the desktop to the network perimeter and for your data at rest and in motion.

20 Create an Office Environment Where People Appreciate the Value of Privacy and Security. It is important that you sensitize your people to avoid being callous when they handle data. If you are a professional eCommerce business, you will have several employees who have varying extents of access to data. As a business manager it is your job to train people on handling the data right.

The e-commerce industry is slowly addressing security issues on their internal networks. There are guidelines for securing systems and networks available for the eCommerce systems personnel to read and implement. Educating the consumer on security issues is still in the infancy stage but will prove to be the most critical element of the e-commerce security architecture. Trojan horse programs launched against client systems pose the greatest threat to e-commerce because they can bypass or subvert most of the authentication and authorization mechanisms used in an e-commerce transaction. These programs can be installed on a remote computer by the simplest of means: email attachments. Training programs, orientation programs will become more critical in order to increase the general populace's

awareness of security on the Internet. IT and financial control/audit groups within the eCommerce site should form an alliance to overcome the general resistance to implementing security practices at the business level. Industry self-regulation of consumer privacy appears to be ineffective. The FTC privacy survey and its recommendations to Congress may result in the introduction of legislation on privacy issues.