What security standards exist and why do I need them in my ecommerce site?
As an online merchant, you are always responsible for the security of your store, even if the technical aspects are administered by a third party. Therefore it is important to know the risks involved.
Security risks for online merchants
There are four areas to be aware of when looking at security for online stores:
- The connection used for website traffic
- Security in the ordering process
- Risk of security leaks
- Risk of DDoS attacks
The connection used for website traffic
Ten years ago, most websites used an unsecure ‘http connection.” Http stands for “hypertext transfer protocol” and it facilitates the communication between a web client (usually a web browser) and a web server.
These days it is more common to see a secure http connection, or https. Https is safer because, in contrast to http, communication between two devices is verified and trustworthy and data is always encrypted. The encryption runs via an SSL certificate.
In short, this means that the traffic between the client and the server cannot be read if it is intercepted. This is especially important when pages containing personal information are being sent to the server, for instance when someone fills in the contact form or when a customer places an order.
Make sure that at least these types of pages will run through an https connection in the software you choose. Of course it is even better if the entire website runs on a secure connection.
The security of the ordering process
The checkout process is by far the most vulnerable part of an online store. Sensitive information regarding things such as customer information and payments is exchanged there.
The entire ordering process should take place via a secure connection. Payments are usually facilitated by a Payment Service Provider (PSP). For an online store owner it is especially important to choose a PSP that meets security requirements.
The most important agency in terms of payment is PCI/DSS (Payment Card Industry/Data Security Standard). All PSP's that offer the option of paying by credit card have to meet their standards. Keep this in mind when you choose a PSP.
The risk of security leaks
There are different ways for hackers to invade a website in order to gain data. Staying protected against these types of attacks is difficult as we can see from the attack on Ebay where information from millions of users was hacked.
Before you make a decision for your ecommerce software, see how the software protects itself from these sorts of attacks. Most providers are transparent in this area. Open source solutions are by definition more sensitive to attacks because the source code is freely accessible. Their popularity also makes them very interesting to hackers.
The risk of DDoS attacks
In addition to security leaks, web servers also tend to be vulnerable to DDos attacks. DDoS stands for Distributed Denial of Service. This can happen when someone deliberately fires so many page requests at once on a web server that a website, internet service, or network can no longer be used. Usually large computer networks are used for this.
Do research in time to see if the software has previously been a target of DDoS attacks and if so, how they were handled. For example, how long was the service unavailable?