Needless to say, ecommerce website security is top of mind for any platform and business.
A breach can permanently damage a company’s reputation and eliminate customer trust. Customers expect the business to take on the burden of security. New ecommerce security threats are arising with increased frequency and cybercrimes are becoming common.
Security is not something that’s nice to have, it’s something you have to have.
Ecommerce sites receive and store a large amount of online transactions and user data — data that is of particular interest to bad actors.
Retail was the most targeted sector for cyber attacks, according to the 2020 Trustwave Global Security Report. It’s a battle that never ends and is always evolving as new and more sophisticated ways to attack are developed.
It’s on the business to keep the site — and customers — safe and secure. Good security practices lead to good security protocols.
Although new methods are popping up with increased regularity, these remain the most common ways hackers target ecommerce platforms:
Phishing is social engineering. Here, attackers obtain private information about a target and use it in an attempt to trick someone into providing important information such as bank account information or social security numbers.
Malware and ransomware go back to the dial up modem days of the internet. Malware can significantly damage systems and ransomware can completely lock you out unless you pay a ransom, with no guarantee you’ll ever be able to get access again.
If there are vulnerabilities in the database where you store sensitive information, a malicious query can be injected to give the attacker view or even edit rights.
In e-skimming, hackers steal sensitive payment information, such as credit card numbers, from online shoppers. This is typically done by injecting malicious code into ecommerce websites or point-of-sale (POS) systems to steal credit card details as customers make purchases.
A Distributed Denial of Service (DDoS) overloads a website with traffic from multiple sources, making it unavailable to users. In a DDoS attack, a large number of compromised devices are used to flood a website with traffic.
Brute force attacks are used by hackers where an attacker attempts to guess a user's login password by systematically trying every possible combination until the correct one is found.
This method is time-consuming and requires a lot of computing power, but it can be successful if the password is weak or simple.
Not all security threats come from the outside. There are plenty of internal threats — some of them wholly unintentional — that ecommerce companies should be aware of.
It’s unfortunate, but many cybersecurity attacks succeed because of simple human negligence. This occurs when employees fail to follow established security policies and procedures, such as using weak passwords, clicking on suspicious links or attachments, or sharing sensitive information with unauthorized parties.
On the other end of the spectrum from negligence is intentional sabotage. While there’s no sure-fire way of avoiding disgruntled employees, limiting access to sensitive data, enforcing strong password standards and having regular reviews of access will help mitigate damage.
This expands employee sabotage to additional parties working with your company. Contractors, vendors or even customers may be exposed to attackers, who then bring that contagion into your systems.
Data breaches don’t just hit small businesses with limited resources. Even some of the world’s biggest brands have been negatively impacted.
The global shoe company has been hit hard in the past. In 2018, the company’s U.S. website was impacted with customer contact information exposed.
Mercari is a Japanese ecommerce company that operates an online marketplace. In 2021, the company disclosed a major data breach incident.
Target’s ecommerce store was affected by one of the largest data breaches in history. In 2013, millions of customers were impacted by a cyber attack that exploited vulnerabilities in the company's payment gateway, allowing hackers to steal payment card information such as credit and debit card numbers, expiration dates and CVV codes.
Online businesses never want to be in the headlines for a security reason. Following these best practices will at least greatly reduce the chances of possible security issues.
Require complex passwords that require at least eight characters, with a mix of upper and lowercase letters, numbers and symbols. This should be mandatory for employees and customers alike.
Sensitive data should only be accessible by users and systems that absolutely need it. The fewer access points, the better.
The best way to defend against bots and hackers is to think like one. Conduct regular attack simulations and attempt to breach your own systems in real time. This will identify weak points before others take advantage of them.
Take stock of what third-party systems are included in your tech stack and ensure that they are fully up-to-date. Identify the security of each and ensure that they meet your own security standards.
The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards that must be followed by any organization that accepts credit or debit card payments. PCI compliance is mandatory, so you should be up-to-date on any changes to the standards.
All parts of your store should be prepared for the unique requirements of ecommerce. From payments to data storage to logistics, your entire tech stack should meet the highest security standards.
Secure Sockets Layer (SSL) certificates are increasingly common in ecommerce and establish a secure, encrypted connection between a web server and browser.
The SSL certificate verifies the identity of the website, and the encryption technology ensures that any data transmitted between the server and the browser remains private and cannot be intercepted or tampered with.
By now, we’re all familiar with getting a code texted to us to log into a system. 2FA is much more common now and serves as a strong layer of defense and provides an additional step in confirming identities.
Software in your tech stack are likely to receive regular updates and patches, which will include additional security. Ensure all software is updated when necessary.
Social engineering happens all the time and it’s on the company to train and inform their workforce of how to avoid attacks. Companies regularly test their employees with fake emails to see how receptive they are to phishing attacks.
Though you may work to avoid all attacks, business owners should always be prepared for the worst. Have a fully realized response plan in the event of a breach, which should include identification, mitigation and communication.
There are standards — both legal and industry — that every ecommerce company will be expected to meet. This does not guarantee a secure platform, but meeting these does help protect customer information.
Any entity that processes credit card transactions must meet PCI-DSS standards. These guidelines protect credit card information, from storage to checkout.
The European Union enacted GDPR to protect the personal information of all EU citizens. This applies to businesses that exist outside the EU but sell to Europeans as well.
The CCPA is similar to the GDPR, but is specific to the state of California only. It’s the strictest standard currently in the United States.
Security is vital for both keeping ecommerce businesses open and for keeping the trust of customers.
By voluntarily handing over personal information, they are trusting ecommerce companies to manage and protect customer data.
Personal data is any information that can be used to identify someone. This includes information such as name, address, phone number, email address, social security number, passport number, date of birth and any other information that can be linked directly or indirectly to a person's identity.
Multi-Factor Authentication is security functionality that requires multiple forms of authentication to verify a user's identity. This provides an additional layer of security against cybercriminals.
The International Organization for Standardization (ISO) is an independent, non-governmental organization that develops and publishes standards for various industries and sectors.
In May 2023, BigCommerce earned ISO 22701 and ISO 22301 certifications.