Building an online store should be an enjoyable and exciting experience, but there are serious issues that must be considered to ensure the business - and customers - are kept as safe as possible. After all, you don’t want your shiny new store and company brand ruined by hackers, security breaches, or data loss – do you?
Building a secure online store starts from the moment you choose a hosting provider, and continues all the way through using the website on a day-to day-basis. Let’s take a look at the five most important areas to consider to safely build an online store:
1. SSL and a Secure Hosting Service
One of the most important aspects of building any website is choosing a good hosting provider. It’s even more crucial when starting an online store because people will be submitting payments through the site, meaning security is a top priority.
A hosting provider stores your site’s files on its servers. Without it, you wouldn’t be able to get the site on the internet. Providers do much more than just “host” a website, however. They’re responsible for keeping the site live, handling surges in traffic, maintaining site speeds, and more.
While you shouldn’t fully rely on hosting providers to keep the online store secure, you can give it the best chance by choosing a quality provider that does everything possible to keep the site safe. Many of the best providers include Secure Sockets Layer (SSL) certificates with all plans, while others include such extra security defenses as:
- Automatic backups
- Hack protection
- DDoS (Distributed Denial of Service) protection
- Malware detection and removal
Having SSL security is an absolute must for an online store.
SSL certificates encrypt any data passing through the website, including login details and payment information. Without SSL, private data is vulnerable to hackers and leaks. Always check what type of SSL certificate comes with the hosting plan. Most provide the basic version but selling online should warrant investments in more advanced options. Consider buying an Extended Validation (EV) SSL, which is the highest level of protection an SSL can offer, as it includes in-depth vetting and verification of the business.
2. TLS Encryption and PSD2 Preparation to Protect Financial Transactions
When it comes to staying safe online, customers deserve the best. That’s where Transport Layer Security (TLS) comes in. This is similar to SSL security, but a better, more improved version. Often, the terms are interchanged freely, as TLS secures data passing between customers and a store – much like SSL does.
In basic terms, TLS does three things: It ensures both parties are actually who they say they are, checks that data being shared isn’t corrupted, and encrypts information so it can pass protected from one party to the other. So, what do you need to install TLS? The good news is, it’s usually installed along with the SSL certificate, so you don’t need to do any extra work.
What could mean extra work is thenewPSD2 regulation, which recently came into effect this September. This stands for Payment Services Directive, and is designed to benefit consumers, reduce fraud, and open up payment methods and making them more secure. Payment fraud has been rising over the years, so PSD2 should be a blessing for your store. If you’re not prepared, though, the new regulation could be a nightmare rather than a dream.
The key takeaway is greater protection for financial transactions, called Strong Customer Authentication (SCA). This will use 3D Secure 2.0 to process payments, and introduce a multi-step identification system for customers if they’re spending money in the European Economic Area. This will make payments more secure and is handled by the customer’s bank – meaning there’s no need to worry about ensuring a store being SCA compliant.
What you should do is make sure the checkout is ready to handle this new multi-stage authentication system. Get ready for 3D Secure 2.0 by confirming the right fields are ready for your customers to fill in. This should pave the way to safer transactions, without causing tons of friction for customers. Look for GlobalSign PSD2 certificates to be announced shortly!
3. Protection Against DDoS Attacks
DDoS stands for Distributed Denial of Service, and is a form of attack where hackers flood a site with traffic to crash the server, thus making it unavailable to visitors. This can cause damage to your brand and reputation by upsetting customers trying to reach the site, not to mention the financial damage resulting from all those lost sales. DDoS attacks are often used as a distraction while other areas are targeted, too.
A few hosting providers offer DDoS protection as part of their packages. If your provider doesn’t offer DDoS protection, then you should turn to an external, cloud-based solution. This will filter traffic, detect threats, and react to DDoS attacks. You’ll need to pay for this service, but it’s worth it as DDoS attacks are a very real threat to online stores.
4. Privacy Principles of Data Minimization
For businesses in the European Union, the introduction of GDPR (General Data Protection Regulation) represented a huge change back in 2018. One of the major aspects of this regulation was data minimization, which is important for reducing the risk of security breaches and personal data leaks.
Data minimization simply means limiting how much personal data is collected, and keeping hold of it only as long as necessary. Whether complying with GDPR in the EU or the Federal Trade Commission’s rules in the US, data minimization is an essential part of running a secure business. By hoarding data and keeping it longer than necessary, the chance of that data becoming vulnerable increases. You also run the risk of opening up the business to fraudulent, unverified data that could corrupt the quality of databases.
By only collecting relevant, essential data, you can safeguard businesses and clients. When dealing with data, consider the following:
- Is the data necessary for a specific purpose? For example, is it really necessary to collect a visitor’s date of birth to buy a product?
- Is there enough data to complete the action? For example, you might need a customer’s address for shipping purposes, or an email address to send a confirmation receipt.
- Is non-critical data being held? Review the data on your system. Is any of it outdated or no longer relevant? If so – Delete it!
With these things in mind, never hold onto customers’ payment details.Usually, a third-party payment provider processes payment details, in which case don’t ask for them. If these details are required to complete the transaction, don’t keep them. Doing so puts the data at massive risk.
As an online store, you’ll have many different people passing through the site. Make sure you respect customers’ privacy by only collecting data with their permission, and only asking for information necessary. Verify information where you can, and don’t hoard data.
5. Internal Security and Usership
You can do everything possible to secure the online store, but if mistakes are made on the inside - you’ll be opening business up to threats from the outside. The first thing to do is make sure all passwords are strong and secure. Don’t ever have shared passwords, as different admins should have unique passwords. It’s a good idea to use a password manager, which makes it easy to stay on top of password security. Change passwords regularly, and set up two-factor authentication wherever possible.
Still, the strongest password is useless if the person causing the security breach is the owner of that password. Your staff may actually be your greatest weakness – indeed, 2,500 internal security breaches happen in US business every day. Some employees actually compromise employers on purpose, but mostly it’s accidental – such as clicking on a phishing email, sharing login details, or losing a work laptop. The best way to safeguard against these internal threats is to educate staff, hold regular trainings, and have plans of action in place when it becomes clear there’s been a leak.
Cyber threats aren’t going away – they’ll keep evolving, growing, and changing. But there are ways to minimize the risks. With a brick-and-mortar store, you can see shoplifters coming - keep an eye on CCTV and call the police if someone stuffs products under their coat. But with an online store, the thieves are far more subtle - and usually remain unseen until it’s too late. By being aware of the risks, you can put measures in place to prevent and manage these risks, and set up an online store for success - rather than cyber corruption.
Now it’s time to take the next step. Learn more about keeping business safe in this dynamic, online world. Follow the Resource Links below to get started or contact GlobalSign for more information: