Following ecommerce security tips and Best Practices can go a long way in saving you the cost of a non-valid credit card purchase or the devastation of a massive data breach

The news in mid-January that the major online shoe retailer Zappos had its website hacked with the loss of valuable personal information on some 24 million customers should have sent shock waves throughout the ecommerce universe – shock waves and warnings for ecommerce merchants and online shoppers alike. Unfortunately, there were no broad-based reactions of dismay because this kind of criminally invasive attack on websites, particularly online shopping sites, has become all too common.

According to the Identity Theft Resource Center (ITRC), there were 419 data breaches publicly disclosed in the United State during 2011, with 62% of those involving the exposure of Social Security numbers, and 27% laying bare credit and/or debit card data.

In the case of Zappos, the company said the information gleaned by the hackers included customer names, addresses, email addresses, phone numbers, partial credit card numbers, and cryptographically scrambled passwords. Not obtained, the company said, was full credit card information and other payment data.

Still, that hackers could get into the supposedly secure servers and database of Zappos – owned since 2009 by ecommerce industry giant Amazon.com – shows that even the most sophisticated web operators with nearly unlimited resources to build and maintain online security are not immune to security breaches.

For website operators, in particularly those who process credit cards and collect sensitive information from consumers, the risks of security problems are real and can be devastating. They can range from simply accepting a non-valid or stolen credit card number, and then losing the money and products involved in that transaction, to literally having your business shut down from a broad data breach for an extended period of time. Zappos, for example, is going to great and expensive lengths to re-establish its business links and customer confidence, and surely while it will lose sales in the short-term, the more valuable asset lost may be its reputation for safety and soundness for a long time to come. Its parent company Amazon.com is probably also in crisis-prevention mode.

The lesson is clear: no one, no web site, is fully safe from invasion or rip-off, and even those which have the very latest in technology security systems in place today could be vulnerable tomorrow morning. In other words: cyber security isn’t a destination, it’s a never-ending, diligent process. Complacency will lead not to an “if” a security breach happens, but directly to a “when” it will occur. And keep in mind that experts in online security are noting an increase of cyber attacks not designed necessarily for personal gain – hackers stealing data to mine it for money – but by hackers whose sole goal is to exact revenge for some real or imagine slight simply by causing a site shutdown or a public relations nightmare.

The problem has become so pronounced that even the White House has initiated an ecommerce security plan, called the National Strategy for Trusted Identities in Cyberspace, where key constituencies like banks, technology companies, credit card firms, cell phone providers and others will work to set and adopt higher standards for handling and verifying identities and personal data online.  That may prove to be a tall task in that “standards” for anything online has proved to be a rapidly moving and accelerating target.

Such standards setting is nothing new. Eight years ago, in 2004, five of the leading credit card security programs merged to create the Payment Card Industry Security Council (PCI DSS). The goal was to create extra security for card issuers by making sure that both merchants (e and brick-and-mortar) meet established security standards for storing, processing and transmitting cardholder data. While this is designed to help card issuers, the group’s basic outline of control objectives serves as a perfect security boilerplate for even the online merchant processing credit cards:

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Regularly monitor and test networks
• Maintain an information security policy

As website operators the various levels of online security that should be implemented are probably more complex and changing than you can keep up with. Having an IT department or an outside vendor, such as a website development partner like Unleaded Group, and insuring that the people maintain constant familiarity with the very latest online security issues and train is a must. Insist on it. There are a lot of security procedures and security certificates that must be obtained, and trained IT people can and should be right on top of this.

Beyond these basics, website operators should also limited access to administration areas on their site to trusted employees, change passwords frequently, and constantly monitor and test security systems. Security experts recommend many layers of security, tougher and more varied – and more often changed – passwords, and the admonition is to make sure there is complete data backup done to secured locations at least once a day, and for added security more often. Security also should include a preprogrammed set of Denial of Service attempts: what this means is that someone trying to log on may mis-type a password or code and allowed another attempt; most software will let you set a default number of these attempts, like three before there is a disconnect, to protect from someone guessing.

Also, security experts call for regular code reviews in the software used for ecommerce and related activities, however this can be time-consuming and expensive and involve some very high-level people. An alternative is to implement a web application firewall (WAF) solution, which is designed to automatically perform such code reviews and to perform inspections in the web traffic meant to exploit known vulnerabilities and look for suspicious patterns.

There are also new and emerging security protocols, updates and software directly aimed at protecting transactions and data involved with mobile technologies, such as smart phone and note pads. 

Here at Unleaded Group, we specialize in building online shopping cart technology and ecommerce solutions using the top solution on the market, Magento. While we feel Magento is the best ecommerce solution for many, many reasons, one of the biggest is security: not only is security a key focus of Magento, it is improved with Magento security updates very frequently in response to new threats that appear in the marketplace and any vulnerabilities that the vast and growing Magento community can imagine and discover.

Our website clients are not online security experts, but each and every one of them has security as a chief concern. Building and operating a Magento website eliminates a lot of worry about security, and with Unleaded Group, a Magento Gold Partner, working with the client every step of the way we are constantly monitoring the community for security updates, we build in security testing features, and we go the extra mile to ensure as secure a website as is possible in today’s web environment.  Magento includes internal security measures that are industry Best Practices, and they integrate well with the security systems and protocols set up and maintained by third-party vendors, such as credit card issuers and payment systems.

Web security is a very complex and constantly evolving discipline that demands high-level and professional intervention. As a website owner you should know that the more complex and robust your site, the greater the threat level and the greater the need to invoke professional assistance to maintain Best Practices for security. Having a security process in place from day one, and with constant vigilance, the internet, in spite of a myriad of data breaches reported all the time, is a relatively secure, safe and profitable arena for commerce.

For all of your ecommerce needs, from website design and development and the very latest in top-notch Magento ecommerce solutions – including the highest level of online security – call on the Unleaded Group of Denver. Phone 720-855-UNLEADED (865-3233) for complete details.