A major aspect of digital transformation is bringing markets for goods and services online. No longer do potential customers have to be in the vicinity of your business to purchase your products; now they can order them from across the country through the Internet and have them shipped. E-Commerce is the term for buying and selling goods via the Internet. Since financial transactions are involved, e-commerce platforms can be an enticing target for threat actors. Therefore, it is important to harden all aspects of the process.
The first step in implementing secure e-commerce is choosing a reliable, secure web hosting provider. In a small business environment, self-hosting a website is usually out of scope. Hosting your own website on a private web server can be a complex process that opens many security holes that wouldn’t be there otherwise. It can be done, but unless you have the correct talent and means to configure your own web host, it is best avoided. Especially where financial data is involved, it is likely in your best interest to purchase web hosting from a popular vendor. If you want more control over the design of your website, you can purchase hosting from a vendor like Hostinger, DreamHost, or GoDaddy and install a Content Management System like WordPress or upload custom HTML/CSS/JavaScript. If you want a drag-and-drop builder to make a good-looking website more quickly, you can instead purchase hosting with providers like WordPress.com, Squarespace, or Wix. There are other providers that are specifically targeted to e-commerce, such as Shopify and WooCommerce. Regardless of what hosting service you choose, ensure that the following security measures are provided as part of your plan:
- SSL certificate (extremely important for e-commerce)
- Web Application Firewall protection
- DDoS protection
- Data Backups
Having an SSL certificate for your website is not optional today. The old HTTP protocol transmits credentials in clear text, allowing any attacker viewing traffic to your platform to capture credentials and use them for malicious ends. Having a valid SSL certificate in place on your website encrypts communication between client and server and protects the privacy of your customers and their financial information.
Regardless of what kind of Content Management System you use for your online store, you should follow best practices for securing the dashboard and admin panels. Implement strong passwords in compliance with your Password Policy and apply Multifactor Authentication wherever possible. Ensure that the backup system implemented for your site is functioning properly and is saving to a secure location.
The security of online payments is a major concern when it comes to e-commerce security. Just as it is your responsibility to protect the cash in the cash register out front, it is your responsibility to protect the digital payments in your database at your online store. Your choice of payment gateway can be the deciding factor in the security of your transactions. A payment gateway is a technology that enables merchants to accept digital payments from their clients. When a client purchases a product from your store, they actually send their payment to the payment gateway, which then relays the transaction to the correct credit card company for processing the payment. After successful authorization, the funds are deposited in the merchant's bank account. Using a reputable third-party payment gateway offloads the security requirements for collecting and storing financial data from the merchant, and often makes customers feel more secure since they are using a payment gateway they recognize. It is highly recommended to use gateways like PayPal, Venmo, and Apple Pay.
Finally, a simple yet extremely important security control to protect your online store is updating and patching. New vulnerabilities are discovered every day, and vendors need to consistently release patches to mitigate them. It is your responsibility to apply said updates to protect your store and your customers. Even the smallest vulnerabilities can give skilled hackers the opportunity to penetrate your systems, and from there, the consequences can quickly snowball. Updates should be consistently applied to both your hosting service and your Content Management System, including any plugins utilized on your website. WordPress plugins, in particular, are well known for security vulnerabilities if not implemented and updated properly. To make this responsibility easier, try to implement automatic updates wherever possible.