This is a guest post from Patrick Foster of Ecommerce Tips.
At its best, eCommerce feels like magic — flouting the traditions of retail to deliver experiences that sweep along seamlessly, seeing money change hands and products shipped to buyers with minimal fuss and maximum convenience. Today, though, most shoppers understand that there’s really nothing magical about it, and placing too much faith in online stores could work out poorly.
Why? The various high-profile hacks and data leaks that reached mainstream awareness in recent years have certainly made an impact. In general, we’ve all started to understand exactly how powerful — and how dangerous — the glut of personal information on the Internet can be, and that’s before you factor in the threat of spoofed financial transactions.
So if you’re an ambitious seller with an eye on the future, be mindful of how your store (or stores) come across to the average visitor. Plenty of eCommerce websites out there have shockingly poor security. Let’s look at the top 6 reasons why, so you can ensure that you’re not making any obvious mistakes.
6 Big eCommerce website security mistakes
They use weak and/or stale passwords
This is hardly surprising, but this is likely to remain an issue until conventional password systems are rendered obsolete by biometrics and the like, which may take decades if it happens at all. Passwords remain a major problem for eCommerce sites. This goes across their entire online operations, but it’s most readily damaging when it plagues their admin dashboards.
After all, if someone happens to guess (or brute-force, or extract through social engineering) your admin password, they’ll have wide-ranging access to the bulk of your systems, if not all of them. Lock you out, change the website, access linked accounts, download customer data — the intruder will be capable of fundamentally compromising the entirely of your business.
Don’t let this become an issue. Use strong passwords, follow modern best practices, and consider using a password-management system if necessary — though don’t allow that to become a point of vulnerability. Don’t hand out your password, or leave your logged-in computer unlocked while you’re away from your office. Be sensible, and you should be safe.
They overlook PCI compliance
Any business (or individual) that handles credit card transactions online must comply with the PCI DSS (the Payment Card Industry Data Security Standard) to merit any kind of credibility. While there’s no actual obligation to follow such a standard in general, relevant elements are mandated in some cases (at a state level, chiefly), and the main issue is the risk it avoids.
Think of it this way: in the event that your eCommerce business suffers a major data breach, your systems will be heavily scrutinized to determine the extent of your responsibility. If it’s found that you never bothered to ensure compliance with PCI standards, you’ll be left open to a barrage of lawsuits, and have no compelling defense to offer in return.
Thankfully, complying with PCI procedures is fairly easy thanks to standardized eCommerce systems. If you’re using a dedicated eCommerce CMS, you need only confirm that it offers PCI compliance, and you won’t have to worry about the details. (In the unlikely event that you run any custom systems, you’ll have the much-harder task of checking compliance yourself).
They don’t use transaction fraud services
In making it massively faster and easier to configure and issue transactions (particularly with the rise of digital wallets and online-only banking systems), the banking world has also established a fresh level of vulnerability to attack. If someone can get hold of enough pieces of personal data, they can glean enough information to issue a fraudulent transaction.
To combat this, there are numerous security services that can automatically assess queued transactions in your store and determine their likelihood to be fraudulent — typically, the level of confidence in the accuracy will be so high that you’ll be able to receive full financial compensation in the event that an approved transaction turns out to be illegitimate.
Plenty of businesses either don’t know about the existence of such anti-fraud services or choose to forgo them, perhaps thinking that fraudulent transaction requests are uncommon and thus not worth worrying about. But it only takes one major fraud to strike a powerful blow against your credibility, so is it really a risk you’re willing to take?
They request unnecessary information
It’s more than just frustrating when you’re trying to place an online order but find yourself inundated with seemingly-arbitrary (yet mandatory) data fields. Is a merchant really justified in demanding twenty distinct pieces of personal information? Most of the time, no, they are not — and requesting it can be a security concern.
To some extent, this is a problem due to the consequences of last year’s implementation of GDPR, a new EU regulation that sent shockwaves throughout the eCommerce world. If you store data on EU citizens, you need to be aware of what the regulation demands. But it’s also a problem because the more data you have, the more attractive your database becomes to hackers, and the more disastrous it will be if the data escapes your custody.
What do you currently demand of your customers? The more you can strip away unnecessary fields, the faster your buying process will be, and the less of a security risk your website will be. You can always hook into social logins if you need extra information — modern multi-channel eCommerce is heavily reliant upon this kind of integration, and if you’re not going multi-channel yet, you should really be thinking about it. That way, you don’t need to store the information yourself, reducing your responsibility.
They use too many third-party additions
There’s no eCommerce solution that offers every possible function, and because selling online has such a high ceiling (there’s almost no end to what you can achieve with it), it’s extremely common to use third-party additions to introduce new options. This is usually fine, but it becomes a security threat when you get too lax with the sources, or — more likely — install too many at the same time (often an issue with WordPress).
To hook into your system, a third-party utility (whether an extension, a plugin, an app, an add-on, or some other preferred name) must have adequate access permissions. If you set up 100 such utilities, you encounter two risks: firstly, that at least one of them will have a vulnerability that will allow someone to access your system through it, and secondly, that all those utilities being enabled together could produce some kind of conflict that will make your system more vulnerable in general.
If you want to extend your system, do so, but keep the numbers down, and be absolutely sure that you can trust any developer whose software you use. Even if a utility claims to be very simple, it may request far more access than it needs (see previous point).
They fail to keep up with software updates
When software is released, it encounters real-world testing for the first time, and flaws start coming to surface. This is normal, and nothing to be overly concerned about — most likely the developer will swiftly issue a security patch (or patches) to seal up the gaps before anyone can seriously exploit them. But patches can’t always be forced, and that’s where the problem lies.
eCommerce merchants have a lot to do and think about, so their time is at a premium. Given a choice between installing updates of unclear value and (for instance) running some refreshed marketing, they’ll want to go with the latter, because it has clear potential to be profitable. Fail to keep a system updated, though, and it will become steadily more vulnerable to attack — still possessing the flaws that will since have become common knowledge to hackers.
It may not be much fun to set aside some time every week to review and install software updates, but it is vitally important if you want to avoid security problems. Note that there’s a significant overlap with the previous point here: the fewer third-party utilities you have installed, the fewer updates you’ll have to sort through.
How do you currently rate your eCommerce website for security, keeping all of these issues in mind? If you feel that it’s falling short in some areas, keep a cool head — you still have time to turn things around. Follow best practices, think carefully about where you can make improvements, and you can start moving in a safer direction.