[BreachExchange] How to Secure Your eCommerce Business in 2017

Inga Goddijn inga at riskbasedsecurity.com
Tue Jan 17 15:25:06 EST 2017


http://www.businesszone.co.uk/community/blogs/kunjalpanchal/how-to-secure-your-ecommerce-business-in-2017

Statistics reveal that by 2019, the worldwide eCommerce market would
predictably be worth $2.4 trillion
<http://info.rippleshot.com/blog/2016-trends-in-global-ecommerce-fraud>.
Indeed, eCommerce is growing much faster than the expected rate. While
growth is appreciable, there’s also an increased risk of online payment
fraudulent, scams and notorious activities.

In the latest report by Fraud Trends 2016, several important points were
highlighted with respect to fraud prevention and global risk factors. US
retailers chose to move to EMV chip-enabled debit and credit cards
<http://www.businessinsider.com/online-fraud-attacks-in-the-us-are-growing-at-an-alarming-rate-2016-4?IR=T>
in October 2015 to enhance security on physical card transactions, which
was good. However, there were several side effects to it. Since EMV
migration, reports from PYMNTS reveals that fraudulent attacks have raised
significantly by 11%. In fact, there are total 27 fraudulent attacks for
every 1000 eCommerce transactions in the final quarter of 2015, which
increased the fraud rate by a staggering 215%. While digital good were the
cream targets, credit card details were a close second.

*Introducing EV SSL*

Extended Validation SSL Certificate is the most efficient security tool for
eCommerce platforms across the globe. It provides the strongest level of
encryption available and enables organizations running a website to present
its verified identity to visitors and guests. EV SSL certificate offers a
strong guarantee that owners of a website are given thorough and globally
standardized protection and identity verification processes defined within
the guidelines of EV.

Although EV SSL offers strong protection, hackers might get their hands on
it too. If you have an eCommerce website then you can consider online
security as the top priority factor for protecting customer’s personal
information.

Noted below are a few ways to go about it:

*#1 Avoid Collecting/Saving Customer Data*

Hackers can steal all data stored on the eCommerce website. Therefore,
avoid collecting any data or saving private information of customers
through the eCommerce solution, especially data that is not required for
business.

For instance, in order to process credit cards, use encrypted checkout
tunnel that would eliminate the need for the server to see customer credit
card data. Although it can be inconvenient for customers at the time of
checkout, there are many benefits too. Moreover, hackers cannot access
private customer data remotely.

*#2 Encrypt Browser Communications*

Communication between websites and browsers should be encrypted to ensure
secured transmission of confidential information. In order to prevent
hackers from cracking security codes, it is very important to maintain the
latest encryption algorithms like the updated version of SSL, EV SSL
<https://www.ssl2buy.com/ev-ssl-certificate/>, or TSL.

There’s a technical difference between SSL and TSL, which has to be
understood before implementing to avoid any vulnerability.

*#3 Regular Vulnerability Test*

eCommerce sites should be tested for the vulnerability on a regular basis.
All credit card companies have directed retailers to ensure their eCommerce
websites meet the security standards. However, that is not enough. It is
very important to test the eCommerce site regularly to prevent hackers from
intruding into the site to cause real damage.

In fact, regular scanning and penetration testing should be done to prevent
bigger mishaps. Likewise, web application scanning tools can be used to
identify different types of vulnerabilities like cross-site scripting or
XSS, debug code, or leftover source code.

*#4 Remove all Risky Software*

There are some latest web development tools that can eliminate potential
risks and vulnerabilities like HTML 5. Before building a new site, or
redesigning an existing site, consider safer options. Make sure you don’t
use software like Adobe Flash, which increases the risk of vulnerabilities.
If you have to use Flash or Java, patch the software on a regular basis to
make sure you have a secured version.

*#5 Network Perimeter Protection*

No matter where you are, the perimeter of the network is ever-changing.
There may be times when the edge of a network exists within the network of
a business partner. In fact, retail sites are vulnerable and easily
accessible to hackers from the public internet as well as through other
company websites. So, as a preventive measure, use links having quarantine
capabilities.

For instance, physically separate the network access feature between
industrial business partners and confidential customer data.
Understandably, corporate data has layered defenses, each layer having
stronger credential, identification, and restrictions with respect to
access management.

*#6 Take Defensive Measures*

A firewall is considered to be the best defense for websites. However, the
firewall needs frequent configuration, which involves a lot of effort and
time. For eCommerce sites managed by hosting providers, IT staff is
unlikely to have access to the network security features, which makes it
difficult to manage. Moreover, regular testing and monitoring of eCommerce
sites are always difficult as there are vulnerabilities like data loss. So,
it is best to adapt some must-have security measures like data loss
prevention, data loss detection, advanced persistent threat detection,
intrusion prevention, DDoS protection, reputation defenses, and
antimalware, antivirus and fraud management.

*#7 Encryption*

It is not only necessary to encrypt data but also communications. Encrypt
all possible vital communications with customers and business partners,
especially the ones involving the use of credit/debit card processors. It
would be apt to consider encrypted email too. The simple fact is that no
one should send potentially personal and private data in plain text format
over the internet.

*#8 Choose a Safe Hosting Provider*

The choice of hosting provider is important to ensure privacy and security
of data. Some hosting providers offer a wide range of applications and
tools to make it easier to create and run eCommerce sites securely. So,
choose a hosting provider that offers 128-but AES encryption, or 256-bits,
has regular backup feature, maintains comprehensive logs, believes in
regular network monitoring, provides written policies, and a ensures a
single point of contact for emergencies.

*#9 Proactive Treatment*

Emergencies and hacking can happen anytime. The only way to secure an
eCommerce site is to perform regular tests, diagnose problems immediately,
and monitor the site to make sure problems are eliminated fast.

For this, it is best to have log files with insights into the security of
the site. Security, however, is an ongoing feature; it is not time-bound.
So, I strongly feel that one should consider self-evaluation, regular
checkup and monitoring, and ongoing evaluation of the log files to prevent
intrusion and loss of data.

It is our duty to provide a safer eCommerce haven to our users for a better
experience and avoid high-profile breaches and public disasters. Do not let
hackers have their way!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170117/eb19f724/attachment.html>


More information about the BreachExchange mailing list