Guide to Ecommerce Website Security: Definition, Tips, and Tools to Implement in 2020
I’ve witnessed companies lose hundreds of thousands of dollars after failing to implement eCommerce website security features to safeguard their online stores from hackers and fraudsters.
The internet is a dangerous place to conduct business. Over the next three years, online retailer fraud is projected to hit $130 billion. So without appropriate fraud protection tools, your sensitive customer data is at risk.
For every fraudulent order that is successfully placed using your eCommerce site, an online retailer needs to generate eight legitimate sales to recover financially from the chargeback and lost inventory. Thankfully, it’s possible to build a wall around your eCommerce site, featuring a big gate to allow legit sales through.
I. What is eCommerce Website Security?
eCommerce website security refers to a variety of activities and measures that protect your website from threats and keep your online transactions safe.
Your online store represents a complex system where multiple components have to interact with each other — your server, web apps, users, and network connection. The important thing is that each of the components must be protected from any forms of threats and malicious attacks. Only then this system will function without hitch. But even if you regularly perform security checks and reveal no issues, you may never relax. Online fraud is evolving rapidly, and because of a single tiny fault, your efforts may get flushed down the drain.
To put it simply, your store is like a house with front and back doors, windows, and walls. And based on the degree of your dedication to details in security questions, you may either install a steel door and a burglar alarm or leave the front door and windows open. But even if you keep all your doors closed, burglars will find the way to your cash box… through the chimney.
This is why it is vital to take your website security seriously and understand the main types of eCommerce threats.
II. What Are the Warning Signs of Fraudulent Transactions?
Fraudulent transactions can lead to chargebacks and loss of merchandise. There are a few warning signs that eCommerce stores should look for during the review of new, or unusual customer requests.
- More than one payment method being utilized from a single IP address. This could be an individual using stolen credit card numbers to submit orders and receive goods that they can sell.
- Foreign billing or shipping addresses are a red flag. Most software can only verify addresses properly within the US and UK.
- Large volume orders for a single item from a new customer — this could be a fraudster acquiring a product to resell with someone else’s credit card.
- A series of orders, shipped to the same address but placed using different payment methods.
Even if your site and server and account are secure, you may still suffer from the malicious activity: keyloggers and spyware on your customer’s computer allow you to steal Credit Card info and place fraudulent orders in your store. If you don’t detect it’s fraud and hurry to ship the goods, you will be just out the inventory and the money, when chargebacks are processed.
Manual review of orders is always best, even if you only check the ones that meet the above criteria. Some review and spot-checking are always better than blind hope.
With a little know-how, you can complete all of these fraud management tips for yourself. If the do-it-yourself route seems way to complicated to you, it never hurts to have a website security audit completed by a reputable cybersecurity firm. Or there’s another way to go — creating your store with
X-Cart eCommerce platform will allow you to secure your eCommerce website from fraud, hacking, and other unethical activity. Our fraud management experts will help you implement all the tips listed above and below.
Taking your website security seriously and having a clear action plan in store will help you to be prepared for the “Doomsday” and catch fraudulent activity early. Here are a few more things that you should take into account:
- Your developer has completed the task too early. He managed to, but in a hurry (or being not skilled enough) he has left a “hole” in the wall of your “house”, and the hacker is already there, trying to penetrate.
- You (or your webmaster) do monitor all the security updates, but you happened to be on vacation when the recent security update was released, so you somehow missed it. And hackers never miss anything and are already trying to break into your site which is not patched yet.
- Your hosting provider still uses insecure FTP for transferring data. PCI compliant servers have already stopped using FTP in favor of secure protocols (SFTP, FTPS, SSH). But because of the difficulty involved with utilizing and administering secure FTP servers, or due to the inevitable complaints that come from clients who do not have the proper software installed to use SFTP, some hosting providers may still allow its insecure predecessor (traditional FTP). By default, FTP transmits data without any encryption or scrambling and thus does not provide any level of security at all. And our bad guy is here to eavesdrop on your conversations and build plans on burglar alarm bypassing.
- You or your employee tend to use the same credentials on several accounts: email, admin area of the store, several forums, Facebook page, and Twitter account. You are in real danger if you use the same password for MySQL, FTP, and your root SSH access. It actually looks like locking the door and hanging a clear instruction on where to find the key for it. Once at least one of these accounts is hacked, the others also become endangered. And it’s only a question of time when hackers will finally open the door with the keys you left for them.
- You can not afford an expensive dedicated server or VPS. Instead, you use the cheapest possible shared hosting. Do you know who your neighbors are? Are you sure their accounts — together with all the possible software they host — are secure? I bet you aren’t. And once their account is compromised, you’re in the risk group, too.
- You use free WiFi. Love combining the useful and the pleasant? For example, having a cup of cappuccino in a coffee shop and working. Remember that lots of wireless hotspots are completely unencrypted. This leaves you unprotected against malicious users sitting next to you in the same coffee shop. So once you enter your username and password, hackers save them in no time.
- Your password is weak. A brute-force attack, or exhaustive key search, may be successful.
III. The Most Significant Website Security Threats For Your Online Store
Below is a brief overview of some of the most common web application security threats, such as XSS, SQi, DoS, cross-site forgery, and other activities that every store owner has to be aware of.
1. SQL Injection – Preventing Your Website’s Forms from Becoming Vulnerabilities
Did you know that it’s possible to submit a fraudulent SQL command to your site by inserting the command into a form on your website? This could be the form that your customers use to sign-up for your email newsletter or set up an initial consult.
To prevent this type of fraud, you need to scan your site daily for SQL injection (SQi) vulnerabilities. Internet security companies, like Norton, have products to help with this. But, you can also find free site scanners:
2. Cross-Site Scripting (XSS) — Turning a Bad Request Into a Bad Day
How does your website, and the web server that hosts it, handle GET requests, or the posting of executable code in the comments section of your blog posts? Ideally, these fraudulent server requests, loaded with malicious code meant to compromise your website security, should be blocked from executing.
Best practices for protecting your website from XSS:
- Ensure that all site and server modules are up-to-date. Reputable third-party developers provide ongoing updates based on common security threats. But, these do your site no good if they aren’t installed.
- Use a site scanner, like the ones listed above, to identify potential website security vulnerabilities.
3. Brute Force Attacks — Keeping the Attackers Guessing
83% of domestic e-commerce attacks in the US were completed using a botnet (PYMNTS).
One of the ways botnets are utilized is in a brute force attack – simply guessing the details required to access the admin section of your e-commerce site. All that’s required is a program to execute the attempts to connect with different passwords, and enough uninterrupted time to establish a connection.
Steps you can take to stop a brute force attack in its tracks:
- Use complex, lengthy passwords featuring symbols, capitalization and numbers.
- Require two-factor authentication before users can log in.
- Use a captcha or similar tool to challenge visitors to your login page.
- Change passwords every 3 months. Immediately change passwords after termination or conclusion of work by an outside contractor.
Two-factor authentication is a free app that requires shoppers to supply a 1-time passcode in addition to their login details. To start using the addon, you’ll have to create an account with Authy and pick a plan. The free one includes up to 100 logins per month — more than enough to test it out.
Prove that you are a human being and let your customers do the same with Google reCAPTCHA, providing extra protection from robots and spam. This tool is quite straightforward. And you don’t have to identify any symbols or select images with street signs.
4. DoS & DDoS Attacks to Make Your Site Inaccessible For A While
Both malicious actions have got the same goal — to push down your eCommerce site and make some profit from that. But technically they are different.
A DoS (Denial of Service) attack is an attempt to shut down your online store flooding with junk traffic and making it ungettable to normal users.
A DDoS (Distributed DoS Attack) attack is performed from multiple devices or a botnet. A botnet is a ‘gang’ of computers infected with some malware.
Here are a couple of security measures every small business owner should take to protect their website security from DoS and DDoS attacks:
- the DoS attacks can be suppressed with the help of special web server configuration;
- use NGINX rate limiting to protect your website from malicious requests.
Note: Installing a website security addon won’t help.
5. Friendly Fraud Attributes to 71% of Merchant Losses
According to LexisNexis, friendly fraud makes up 71 percent of merchant losses.
This is a type of credit card fraud where a legitimate customer interacts with your eCommerce site, makes a purchase, and then changes their mind later. Instead of adhering to your return policy, they submit a chargeback through their credit card provider.
Validation.com – ID Review & Fraud Prevention addon, also available for X-Cart store owners, will secure your business from chargebacks, friendly fraud, and other account takeovers for only $19/mo.
IV. Best Practices For eCommerce Security
If the hacker’s attempt is a success, along with losing the money you’re also saying goodbye to your perfect reputation, lose loyal customers and thus sales. And to finish you off Visa may pay a visit, after which you pay penalties. And it’s not fun at all, at least for a merchant, who feels furious, or upset, or both.
That’s why you should start working on security hardening right now (and keep working on it daily!).
But what can you do to take your eCommerce website security to the next level and protect your store from ubiquitous hackers?
There is a bevy of website security tools and strategies you can take advantage of to protect your customers’ credit card data and your online store in general from malicious activity, without losing legitimate sales. Let’s grab a magnifying glass and take a closer look at each of them one by one.
1. Tighten Your Website’s Relative Security and Slash Ecommerce Fraud
Relative Security is the measure of how juicy a target your e-commerce website is, relative to the rest of the web. Political sites, financial firms, and large companies have a high relative security risk.
Based on your site’s relative security, you may need to spend extra time and resources on the eCommerce fraud prevention tips I’ll cover below.
Steps for Performing a Relative Security Assessment
- Create an Enemy Profile by answering the following questions:
- Do individuals or organizations exist that would like to hurt me or my company?
- Could an individual make money by attacking my website?
- Do my enemies have the technical skills necessary for the hacking of a website?
- Consider how your company is perceived in the world.
- Does my company have a solid reputation?
- Are there steps we could take as an organization to minimize conflict and improve our image?
- How is my company representing itself online? Is the substance or tone of our content unnecessarily aggressive or aggravating?
To improve your site’s relative security, and reduce its online fraud risk, identify opportunities to disengage from politically divisive topics, and avoid advertising your financial success unnecessarily.
If the outside world perceives you or your organization as a financially lucrative target, or a political adversary, these are red flags that the security of your website, product pages, and checkout needs to be taken extremely seriously.
2. Improve Your Online Store Security with PCI Compliance
Payment Card Industry (PCI) Standards are the baseline standards that the credit card companies have set up in order to provide a secure internet for customers and merchants; reducing online fraud in their industry.
Important PCI Security Council resources include:
- PCI Security Standards
- Payment Application Data Security Standard
- P2P Encryption Standards
- PCI Security Standards
- Payment Application Data Security Standard
- P2P Encryption Standards
PCI compliance is a must for ALL organizations or merchants that accept, transmit, or store any cardholder data, regardless of size or number of transactions.
How does it help you maintain your eCommerce website security? Even if the store IS compromised, credit card details are safe and sound, as you (your application) doesn’t ever touch credit cards.
X-Cart is fully compliant with the latest PCI DSS standards. The ability to collect and store credit card details was once available but was removed for good back in 2012 with the release of X-Cart 4.5.0.
If you host your store with us, lucky you, our hosting gurus perform these PCI-compliance scans on a quarterly basis. But note that this feature is available only for the Enterprise plan subscribers.
And our partners — Comodo — offer PCI scans, which are aimed at finding all the security problems of your server and application.
3. Remove Customer Financial Data from Your Site by Utilizing a 3rd Party Payment Processing System
The best way to protect your customer’s financial data from an attack on your eCommerce site is by removing credit cards and other financial information from your site. A third-party payment gateway can securely handle customer financial data on your behalf.
You need to select a qualified payment processor — the one that’s compatible with your eCommerce platform, and offers industry-leading fraud prevention.
The X-Payments is one of the e-commerce platforms I recommend because of its built-in fraud prevention features.
This PCI Level 1 certified payment solution will allow you to store credit card data right on your website and still be compliant. Recurring payments, reorders, and subscriptions come as a bonus.
Identity theft detection is also a great feature to look for. Some merchant payment processors provide identity theft protection as part of their service agreement.
With NoFraud built-in X-Payments addon, you will forget that fishers exist. This sophisticated solution, based on the fusion of machine learning and human intelligence, reduces fraud to below 0.01%.
AntiFraud also comes with X-Cart as a built-in add-on. The price starts from $49/yr for 3,000 requests. Plus you get 30 requests for free when you sign-up for a free trial. The app uses a sophisticated algorithm to calculate the fraud risk factor and returns the value from 0 to 10. It takes into account such criteria as address match, IP distance, order total, even email, and previous orders placed by customers.
Kount fraud prevention service is here to beat fraud and maximize sales opportunities, and it also requires using X-Payments. Starting from X-Payments v2.2.0, this refine new tool is built-in, so you don’t even have to struggle installing it. Just enable the X-Payments app in your X-Cart admin backend. Our customers say that bottom-line sales grow by an average of 2.2% – 5.8% after implementation.
10 Payment Processors that Securely Handle Customer Financial Data on Your Site’s Behalf
There are a variety of payment processing integrations that provide PCI compliance to help prevent credit card fraud, and end-to-end compatibility with X-Cart (and many other website builders).
Or you can go for any of the following payment processing tools that also work with X-Cart eCommerce software. They will redirect your users to the payment gateway site to enter credit card data. The process looks less natural, though. The list below is ranked in order of popularity:
- X-Payments Connector
- Authorize.Net SIM
- Sage Pay (Form)
- Amazon Pay
- Fastlane Checkout
- Select a payment processor based on the fees they charge and their availability in your region.
- Provide the details for your business’ checking account — this is where funds will be deposited or transferred, at your direction.
- Follow the instructions they provide for integrating their platform with your website — usually a very straight-forward process that involves the automated installation of a module.
- Sit back and enjoy the peace of mind that comes from knowing your customers’ financial data isn’t stored on your eCommerce site — removing a great deal of liability from your company.
4. Eradicate Default Passwords from Your Online Store
You wouldn’t keep the old locks on your front door after you purchase a new home, would you? After you’ve installed your eCommerce shopping cart, or installed a new module, it’s time to reset the default passwords that were created during installation.
This tip massively reduces your fraud risk. Once you’re comfortable with the terminology used to describe different users and their roles within your site:
- Check the “Users Management” tab. Ensure there aren’t any extra admins listed for your site.
- Replace the passwords for each admin user with a secure password – I recommend a long, strong password generated by PasswordGenerator.net
- For easy password management, I use Keeper to help me remember my secure, complex passwords. The ability to copy and paste passwords into forms is a HUGE help.
- Check every online tool and piece of hardware you use to ensure there is no default admin/password configurations leftover.
A long, complex password makes your site more secure by requiring a lot more work from hackers and fraudsters before they can break-in.
Two-factor authentication is an excellent solution for making it even more difficult for thieves to break in. With two-factor authentication, users will be required to enter their password and then enter a one-time code sent to their smartphone or email address before gaining access to your admin console.
If figuring out a long password is time-consuming, hacking multiple platforms to retrieve an access code is even more difficult.
5. Monitor Your Ecommerce Site for Core File Changes Using Monitoring Software
Who’s got two thumbs and better things to do than sit around and provide real-time fraud detection? This guy! And, unless you’ve suffered an unfortunate accident, I’m guessing you’d like an automated fraud detection solution too.
Thankfully, there are programs that will monitor your site for changes made to the core files of your eCommerce platform and prevent file upload attacks in a timely manner. The minute a core file is changed, an alert is sent out to admins. If the change was fraudulent, some software will even let you roll-back the change with the click of a button.
Changes to your site that are made during hours you are sleeping, or from unrecognized IP addresses should be an immediate red flag.
OSSEC is a free user-friendly tool X-Cart admins use to monitor changes in real-time. If a hacker gets through their defenses and manages to make changes, they are immediately alerted. If the change is fraudulent, they can restore the compromised from a safe backup – safeguarding future customers from being compromised. Then, it’s time to dig into the logs. Once they know who altered the file, they can block their access.
With this external website monitoring service, you (not your customers!) are the first to know about a problem on your website. When something breaks, (and as Murphy’s Law reads, anything that can go wrong, will — at the worst possible moment), you’re immediately alerted. Thus, you can quickly notify the customers about this temporary problem and proceed with the investigation and fix it.
In addition to real-time analytics of your system security events and server uptime monitoring, it keeps an eye on the file system, reporting modifications in core X-Cart files (you can even view what has been altered), as well as permissions changes. You should either approve of these changes or restore the previous version. It means that even if the malicious person has modified the files, you will notice it right away — and fix the problem BEFORE your customers are deceived. I believe this tool is one of the best safeguards a store owner can imagine.
6. Regular Site Backups ARE MANDATORY
How often are you backing up your website? If your answer is less than every 24 hours, you’re asking for trouble.
If someone manages to hack into your site, you need to be able to restore it quickly to prevent extended interruptions to your customers. Rebuilding lost resources takes hours, and possibly days.
Restoring from a backup takes a few mouse clicks.
The backup process is no big deal for X-Cart store owners. The eCommerce platform offers a ready-made addon that performs daily backups that start automatically and run in the background.
Backup Master ($79.00) is included in the X-Cart Ultimate edition and can also be bought separately. With this addon installed, you won’t have to carry out complicated back-up operations all by yourself. The addon will create a dump of your website database and include it in the backup file.
The addon will be particularly useful when upgrading your store from one version to another — it will save all the valuable information, just in case.
7. Securing Your Web Browser and Operating System
With the increased number of data shared and stored online, using a secure web browser is vitally important for your eCommerce business.
As of 2019, the most secure browsers are The New Firefox, Iridium, GNU Icecat, Tor, Ungoogled Chromium, and other high-quality browsers. (Source)
According to Blokt, Google Chrome, Internet Explorer, and Safari are the ones you should avoid.
They offer the most secure search engines that will retain your privacy.
Among the operating systems, OpenBSD is highly secure. Use it if you do not need to run graphical apps. iOS and Linux are probably the most popular operating systems.
All that will protect your eCommerce site from various risks, including viruses and personal data theft, and keep your sensitive information in a safe place.
8. Use a Web Application Firewall (WAF) to Take Your Website Security to the Next Level
This awesome security tool protects your website from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests. Thus, good visitors are welcomed, and the bad ones are kept away from you.
Sucuri, Cloudflare, Akamai, Incapsula, and SiteLock are among the top web application firewall vendors.
Web Application Firewall prevents future hacks, block brute-force, and reduces the risk of DDoS attacks.
9. When Transmitting to and From Your Site, Encrypted Data is Secure Data
If someone stole your letter from the mailman, would they be able to read it? If you sent your letter using a code that only you and the intended recipient know, it’s virtually impossible for the thief to gather any useful information. Your personal information is safe, even though it was intercepted.
To secure the information sent between your website and your customer’s computer, you need to use encryption on your site. This is done with a Secure Socket Layer (SSL) certificate that is unique to your site.
SSL certificates offered by X-Cart are exclusively designed for eCommerce businesses. They will secure all sensitive data transfers, such as credit card transactions, logins, and other personal data passed from your customers’ browsers to your online store. This is done with the help of data encryption, data Integrity control, and authentication, that prevents your store from “man in the middle” attacks.
To create one, you’ll need to:
- Purchase an SSL Certificate from a reputable vendor. This does not create the certificate — you’ll need to complete the following steps before you have a usable certificate. Payment simply gets the ball rolling.
- Submit a certificate request form. This involves verifying your identity, billing address, phone number, and legal ownership of your website.
- If you intend to install the certificate on a server that you own, you’ll need to generate a certificate signing-request (CSR). For shared web hosting or managed solutions, this step will need to be completed by the owner of your server — something they are already very familiar with and can quickly complete on your behalf.
- If you own your server, you’ll need to download the files for your SSL Certificate and install them onto your server. Most managed website hosting companies or shared server providers will complete this step on your behalf.
At this stage, you’ve encrypted the communication between your site and the outside world. This is a HUGE step towards a safer customer experience – and the added trust badge will help contribute to customer loyalty and trust.
Don’t believe me? Don’t take my word for it. Here are the numbers, courtesy of DigiCert showcasing the power of completing the process of securing an extended verification (EV) SSL.
Also, keep it in mind, secure website design is essential to rank higher in search engines.
10. Steps That Should Help Understand and Combat Friendly Fraud
- Ask the credit card companies you accept to provide you with a detailed list of their chargeback codes — these are the codes you’ll see when a chargeback is initiated against your merchant account.
- If a chargeback is related to a product issue (i.e., the customer claims the item wasn’t as described), it’s time to dig into how your company fulfills orders. Something likely went wrong, and it will continue costing you money until it’s resolved.
- Ensure that your charges are being notated properly on your customer’s credit card statements. A descriptive title, along with your customer service phone number, is a great way to cut down on forgetful customers charging back transactions that they don’t recognize on their statement.
- Use tracking numbers when shipping orders, and provide customers with this number. Proof of delivery is important when fighting an unjustified chargeback.
- Ban the billing address of customers that submit unreasonable or fraudulent chargebacks. This should be handled on a case-by-case basis; remember, customers make innocent mistakes. But high-risk customers need to be blocked from submitting orders on your site.
Protect your online business from bots and fraud customers with the Block Users by IP / Country / User-agent app. It will help you either limit or completely restrict access to your online store based on IP address and user behavior.
The Signifyd app available via X-Payments will let you never pay a chargeback again, providing a 100% financial guarantee against fraud and chargebacks on every approved order.
If you don’t brush aside these recommendations but follow them minutely, you may reach the level which will be high enough to drive it home to the “burglar”, that he should better try another “house”, not your “fortress”.
And may all your mornings be good, hackers — ethical, customers — satisfied!
Have you been the victim of an attack? How do you handle your website security woes?
I look forward to learning about your personal experiences in the comment section below.
Co-Founder at Ecommerce CEO and Orbit Local, Board Member at Three Grains of Rice Missions, Darren has an MBA in Internet Marketing and 10+ years of experience marketing retail, manufacturing, and Internet marketing corporations, 7-figure brands and startups online.