Shopping season is here, and so is the opportunity for ecommerce site owners to grow their business and generate profit.
With the shifting global ecommerce climate produced by the recent pandemic, comes the ever growing importance of securing your website to protect your users — and your website’s revenue.
As an ecommerce website owner, you’re required to follow the PCI-DSS compliance requirements. These requirements are governed by major credit card companies to securely handle cardholder information — and you’re obligated to follow them, even if you don’t process any payments yourself.
While we’ve outlined some PCI requirements for your reference, it’s important to keep in mind that PCI compliance violations aren’t the only negative impact you can expect in the event of compromise.
Impacts of a hack can range from blacklisting by Google or other authorities, loss of customer trust and brand reputation, or even impacts to your website traffic.
To lend a hand, we’ve included a number of steps you can take to improve the security of your ecommerce website.
That being said, this is not legal advice:
There are many other additional laws, regulations, and guidelines that may or may not be related to your ecommerce website.
So, why is ecommerce security important?
Trust is the key to your online business.
Getting blacklisted around the holiday shopping can be devastating for any ecommerce website. If a security incident occurs, it can wreak havoc on traffic, revenue, and brand reputation.
Under most circumstances, bad actors don’t manually hand-pick websites to attack since this is very time consuming. The majority of attacks against websites are automated and performed by bots who are looking for websites with known vulnerabilities.
These automated scripts make it easy for hackers to find websites, scan for vulnerabilities, and gain unauthorized access. And small web stores aren’t exempt, either. Criminals are opportunists — they’ll target any accessible websites or server resources.
On top of that, if a merchant is found to be non-compliant with the PCI-DSS, there are a number of penalties & consequences ranging from fines, loss of time, and inability to process payments.
Security principles for online stores
The methods you use to secure your e-commerce websites will depend on whether your website is managed or self-hosted.
For websites running managed stores, like Wix and Squarespace, the server and all its software are proprietary — meaning you will not be held liable for security configurations. You pay the service provider a monthly fee for this luxury.
If you’re a self-hosted store, however, you’ll want to pay close attention to the following recommendations.
Reduce your attack surface
With PCI, everything is about reducing the attack surface.
For an ecommerce site, this specifically involves the Card Data Environment (CDE) – the manner in which you handle credit cards on your site.
Even if you leverage third-party services like Stripe, Recurly, PayPal, or another secure payment option, you have an obligation to follow the requirements as set forth by PCI DSS.
Keeping your website’s attack surface as small as possible is a fundamental first step toward improving your security measures.
This means reducing the number of different points that bad actors can enter or extract data from your environment. These can come in the form of insecure credentials, unpatched third-party components, plugins, or extensions, software and CMS vulnerabilities, and even server configurations.
Consider every component you’ve added (or want to add) and ask yourself the following questions:
- Do you really need this plugin, theme, or component?
- Does the software vendor have a plan if a vulnerability is disclosed?
- Are there frequent patches and releases, and are the software developers prioritizing security?
- Are there any new patches? Do you plan on monitoring and applying security updates as soon as they are released?
If a third-party component is your only option, leverage reputable sources with a track record of support and forum activity, ensuring that any updates have been made recently, positive reviews, and other credibility indicators that indicate it has not been neglected.
PCI compliance & secure payments
If you operate an ecommerce site, PCI compliance is a requirement.
Compliance is not dictated by the volume of transactions or restricted solely to storage, transmission, and processing –; it applies to any business that accepts credit cards.
To maintain compliance, you’ll need to ensure that your website meets the following requirements as set forth by the Payment Card Industry Data Security Standards (PCI-DSS) Council.
- Requirement 1: Build and Maintain a Secure Network
- Requirement 2: Do Not Use Vendor-Supplied Defaults
- Requirement 3: Protect Cardholder Data
- Requirement 4: Encrypt Transmission of Cardholder Data
- Requirement 5: Maintain a Vulnerability Management Program
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
- Requirement 8: Identify and Authenticate Access to System Components
- Requirement 9: Implement Strong Access Control Measures
- Requirement 10: Track and Monitor All Access to Network Resources and Cardholder Data
- Requirement 11: Regularly Test Security Systems and Processes
- Requirement 12: Maintain an Information Security Policy
Many online stores use a reputable payment gateway to help process credit card payments and transactions. While this can help you lift some PCI requirements, it doesn’t mean you’re off the hook entirely!
Ask a few people who operate ecommerce shops and you’ll likely find they fear audits nearly as much as hacks.
But, when you gain an understanding of what it takes to run a secure online store — and embrace those principles — it offers peace of mind. You’ll also gain confidence that your customers’ data is safe and you’re staying on the good side of any regulatory agencies that might drop by.
Most importantly, taking steps to ensure that you’re utilizing the best practices towards compliance are also good practices toward a great security posture.
This article originally appeared on the Sucuri blog by Victor Santoyo.