Part 4: Secure eCommerce Websites
eCommerce is exactly what it sounds like: putting traditional business commerce in an online arena. Businesses of all sizes have turned to eCommerce as a way of reaching more customers and increasing sales.
eCommerce can be great for small businesses – especially when their competitors are larger companies. But managing an eCommerce site within a small business can be tricky when you consider the regulatory complexities that accompany collecting payment information.
This month, we’ll focus on the ins and outs of eCommerce websites for small businesses – from PCI Compliance and user verification to cybersecurity tips, best practices and recommended service providers.
Weighing the Benefits & Risks
We’ve discussed how businesses have made the shift online to follow consumer trends. These trends show that convenience is the driving force behind the increase in online shopping.
In fact, more than half of consumers preferred to shop online, and nearly all consumers made at least one online purchase in 2017.
eCommerce websites can also help you achieve business goals that are not revenue-related. Establishing an online presence can help you appear in search results and expand your business’ geographical reach.
PCI Security Standards
Having an eCommerce site means you will be collecting payment information from customers. Although it may seem obvious, this is an important differentiator from other types of business websites because it requires you to follow the Payment Card Industry’s Data Security Standards (PCI DSS).
Any business that collects payment information must be PCI compliant. These regulatory standards were created so that businesses properly handle, store and transmit sensitive payment information.
PCI Compliance is divided into two groups (Merchant or Service Provider), each with four levels. PCI Compliance level is based on how many card transactions are made within your company each year, with small business merchants falling into Level 3 or 4.
No business is exempt from complying with these security standards – regardless of size. The challenge for small businesses is that they often lack the proper in-house expertise to meet and maintain these regulatory standards.
eCommerce Risks for Small Businesses
The security risks that come with eCommerce websites – such as inefficient payment and user verification, bot attacks and data breaches – can put an end to your business before it even starts.
Convenience often overshadows proper security for both consumers and businesses alike. Let’s explore some ways that you can have both convenience and security when it comes to your eCommerce site.
Payment & User Verification
Fraudsters know that eCommerce is preferred amongst consumers. In turn, identity thieves target online stores to steal personal and financial information, as well as make purchases with fraudulent or stolen cards.
eCommerce stores allow customers to make purchases without their physical cards. Consequently, Card Not Present fraud (CNP) has become a favored method amongst identity thieves to use stolen credit cards without being detected.
Bot Attacks & Account Takeover
Malicious bots can also cause harm to your site and put your customers’ information at risk. Bots are often networks of connected devices used to gain access into accounts, test your site’s security and skew analytics.
Bots can be programmed to carry out many functions, but eCommerce user accounts are often prime targets. Distil Networks found that 97 percent of sites experienced bot attacks in 2017 – with malicious bots accounting for nearly 16 percent of all eCommerce web traffic.
“Brute force attacks,” or bots repeatedly entering login combinations until access is granted, can be especially risky for your customers if they save personal and financial information to their accounts. Once inside, identity thieves can use these bots to collect the sensitive information, or even lock users out of their own accounts.
Data Breaches & Phishing
eCommerce sites are especially targeted by cybercriminals in data breach and phishing scams because of the personal and payment information they hold. Again, this is where PCI compliance comes in to ensure that your site meets regulatory security standards.
Fraudsters may also indirectly attack your site by targeting your customers in phishing scams. Spoofed websites are created by identity thieves to replicate known brands and convince victims to give up personal and financial information.
Did You Know…?
More than half (61 percent) of data breach victims last year were businesses with under 1,000 employees.
To third-party or not to third-party?
Once again, small businesses face the budget dilemma: do it yourself, or pay to have it managed for you.
Implementing the proper security measures to protect your eCommerce website is key. However, configuring and managing firewalls, secure servers and encrypted files require the proper in-house expertise that many small businesses often lack.
What are your options? Larger companies with more robust IT, web development and security teams may opt to build their own eCommerce websites and payment gateways. But, building your own website without the sufficient knowledge and resources can leave room for security vulnerabilities, misconfiguration and non-compliance.
Thus, smaller companies may want to opt for a third-party service like Shopify, Wix, BrainTree or PayPal that will handle most of the work for you. These service providers offer free and paid services, and they can be integrated into your own site.
Get Out There!
Now you have all the tools you need to start establishing a secure online presence – so get out there and start spreading the word! Below are some tips to keep in mind when it comes to your business eCommerce site:
- Verify users before purchasing. Verification is key to avoid bots and other malicious entities from making purchases on your site. Consider implementing CAPTCHA codes before transactions can be made, or require multi-step authentication when users are logging into their accounts.
- Review PCI compliance regulations. It’s good to know where your business falls in PCI compliance. Get more information about PCI Security standards, best practices and requirements by visiting PCI Security Council’s FAQ page.
- Do your research. Research service providers for their reputability in the eCommerce platform space. Review each company’s security policies and choose one that best fits your business.
- Honesty is the best policy. When choosing between a “do-it-yourself” approach vs. using a paid eCommerce platform, be honest about the resources available to you within your business.
Use the checklist below to determine if your business could effectively secure and manage an eCommerce website:
- Does my business have the expertise needed to set up and manage a business website?
- Do I know, or do I have a team that knows, how to properly and securely configure my website?
- Do I know, or do I have a team that knows, how to properly secure the data collected on my website?
- Am I confident that my business could address the cyber risks related to my business website?
If you answered “no” to any of these questions, it’s best to stick with eCommerce platforms like Wix, Shopify, Paypal or Braintree.
Continue following Fighting Identity Crimes to get the latest breach and scam updates, ID protection news and tips from our industry experts.
The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.