Ecommerce Security: 10 Simple Tips to Lock Down Your Site

Darren DeMatas
Darren DeMatas
, Founder @ Ecommerce CEO
eCommerce Tips

I’ve witnessed companies lose hundreds of thousands of dollars after failing to implement fraud protection safeguard their website from hackers and fraudsters.

The internet is a dangerous place to conduct business – especially without appropriate fraud protection protocols. Over the next four years, online retailer fraud is projected to increase by $3.2 billion.

For every fraudulent order that is successfully placed using your ecommerce site, an online retailer needs to generate eight legitimate sales to recover financially from the chargeback and lost inventory. Thankfully, it’s possible to build a wall around your ecommerce site, featuring a big gate to allow legit sales through.

Let’s take a closer look at the tools and strategies you can take advantage of to secure your ecommerce site, without losing legitimate sales.

Understanding the Warning Signs of Fraudulent Transactions

Fraudulent transactions can lead to chargebacks and loss of merchandise. There’s a few warning signs that ecommerce stores should look for during the review of new, or unusual customer requests.

  1. More than one payment method being utilized from a single IP address. This could be an individual using stolen credit cards to submit orders and receive goods that they can sell.
  2. Foreign billing or shipping addresses are a red flag. Most software can only verify addresses properly within the US and UK.
  3. Large volume orders for a single item from a new customer – this could be a fraudster acquiring product to resell with someone else’s credit card.
  4. A series of orders, shipped to the same address, but placed using different payment methods.

Manual review of orders is always best, even if you only check the ones that meet the above criteria. Some review and spot-checking is always better than blind hope.

A fraud management expert can help you implement these tips. But, with a little know-how, you can complete all of these fraud management tips for yourself! If you do go the do-it-yourself route, it never hurts to have a security audit completed by a reputable cybersecurity firm.

1. SQL Injection – Preventing Your Website’s Forms from Becoming Vulnerabilities

Secure your ecommerce website against SQL Injection

[Image Source]

Did you know that it’s possible to submit a fraudulent SQL command to your site by inserting the command into a form on your website? This could be the form that your customers use to sign-up for your e-newsletter, or setup an initial consult.

To prevent this type of fraud, you need to scan your site daily for SQL injection vulnerabilities. Internet security companies, like Norton, have products to help with this. But, you can also find free site scanners:

2. Cross-Site Scripting – Turning a Bad Request into a Bad Day

Cross-Site Scripting - Ecommerce Fraud Example

[Image Source]

How does your website, and the server that hosts it, handle GET requests, or the posting of executable code in the comments section of your blog posts? Ideally, these fraudulent server requests, loaded with dangerous code meant to compromise your security, should be blocked from executing.

Best practices for protecting your site from XSS:

  • Ensure that all site and server modules are up-to-date. Reputable third-party developers provide ongoing updates based on evolving security threats. But, these do your site no good if they aren’t installed.
  • Use a site scanner, like the ones listed above, to identify potential vulnerabilities.

3. Brute Force Attacks – Keeping the Attackers Guessing

Brute Force Attack

[Image Source]

83% of domestic e-commerce attacks in the US were completed using a botnet. (PYMNTS)

One of the ways botnets are utilized is in a brute force attack – simply guessing the details required to access the admin section of your e-commerce site. All that’s required is a program to execute the attempts to connect with different passwords, and enough uninterrupted time to establish a connection.

Steps you can take to stop a brute force attack in its tracks:

  • Use complex, lengthy passwords featuring symbols, capitalization and numbers.
  • Require two-factor authentication before users can login.
  • Use a captcha or similar tool to challenge visitors to your login page.
  • Change passwords every 3 months. Immediately change passwords after a termination or conclusion of work by an outside contractor.

4. Tighten Your Website’s Relative Security and Slash Ecommerce Fraud

Relative Security is the measure of how juicy a target your ecommerce website is, relative to the rest of the web. Political sites, financial firms and large companies have a high relative security risk.

Based on your site’s relative security, you may need to spend extra time and resources on the ecommerce fraud prevention tips I’ll cover below.


Ecommerce Fraudster

Steps for Performing a Relative Security Assessment

  1. Create an Enemy Profile by answering the following questions:
    1. Do individuals or organizations exist that would like to hurt me or my company?
    2. Could an individual make money by attacking my website?
    3. Do my enemies have the technical skills necessary for the hacking of a website?
  2. Consider how your company is perceived in the world.
    1. Does my company have a solid reputation?
    2. Are there steps we could take as an organization to minimize conflict and improve our image?
    3. How is my company representing itself online? Is the substance or tone of our content unnecessarily aggressive or aggravating?

To improve your site’s relative security, and reduce its online fraud risk, identify opportunities to disengage from politically divisive topics, and avoid advertising your financial success unnecessarily.

If the outside world perceives you or your organization as a financially lucrative target, or a political adversary, these are red flags that the security of your website needs to be taken extremely seriously.

5. Improve Your Online Store Security with PCI Compliance

Payment Card Industry (PCI) Standards are the baseline standards that the credit card companies have set up in order to provide a secure internet for customers and merchants; reducing online fraud in their industry.

Important PCI Security Council resources include

6. Remove Customer Financial Data from Your Site by Utilizing a 3rd Party Payment Processing System

The best way to protect your customer’s financial data from an attack on your ecommerce site is by removing credit card and other financial information from your site. A third-party payment gateway can securely handle customer financial data on your behalf.

You need to select a qualified payment processor – one that’s compatible with your ecommerce platform, and offers industry-leading fraud prevention. Identity theft detection is also a great feature to look for. Some merchant payment processors provide identity theft protection as part of their service agreement.

10 Payment Processors that Securely Handle Customer Financial Data on Your Site’s Behalf

The X-Payments is one of the ecommerce platforms I recommend because of its built-in fraud prevention features. There are a variety of payment processing integrations that provide PCI compliance to help prevent credit card fraud, and end-to-end compatibility with X-Cart (and many other ecommerce platforms).

The list below is ranked in order of popularity:

  1. PayPal
  2. X-Payments Connector
  3. Authorize.Net SIM
  4. Sage Pay (Form)
  5. Stripe
  6. Skrill
  7. Amazon Pay
  8. Fastlane Checkout
  10. Quantum

Installation Instructions:

  1. Create an account with your preferred payment processor.
    1. Select a payment processor based on the fees they charge and their availability in your region.
    2. Provide the details for your business’ checking account – this is where funds will be deposited or transferred, at your direction.
  2. Follow the instructions they provide for integrating their platform with your website – usually a very straight-forward process that involves the automated installation of a module.
  3. Sit back and enjoy the peace of mind that comes from knowing your customer’s financial data isn’t stored on your ecommerce site – removing a great deal of liability from your company.

7. Eradicate Default Passwords from Your Online Store

You wouldn’t keep the old locks on your front door after you purchase a new home, would you? After you’ve installed your ecommerce shopping cart, or installed a new module, it’s time to reset the default passwords that were created during installation.

This tip massively reduces your fraud risk. Once you’re comfortable with the terminology used to describe different users and their roles within your site:

  1. Check the “Users Management” tab. Ensure there aren’t any extra admins listed for your site.
  2. Replace the passwords for each admin user with a secure password – I recommend a long, complex password generated by
  3. For easy password management, I use Keeper to help me remember my secure, complex passwords. The ability to copy and paste passwords into forms is a HUGE help.
  4. Check every online tool and piece of hardware you use to ensure there are no default admin/password configurations leftover.

A long, complex password makes your site more secure by requiring a lot more work from hackers and fraudsters before they can break in.

Two-factor authentication is an excellent solution for making it even more difficult for thieves to break in. With two-factor authentication, users will be required to enter their password and then enter a one-time code sent to their smartphone or email address before gaining access to your admin console.

If figuring out a long password is time consuming, hacking multiple platforms to retrieve an access code is even more difficult.

8. Monitor Your Ecommerce Site for Core File Changes Using Monitoring Software

Who’s got two thumbs and better things to do than sit around and provide real-time fraud detection? This guy! And, unless you’ve suffered an unfortunate accident, I’m guessing you’d like an automated fraud detection solution too.

Thankfully, there are programs that will monitor your site for changes made to the core files of your ecommerce platform. The minute a core file is changed, an alert is sent out to admins. If the change was fraudulent, some software will even let you roll-back the change with the click of a button.

Changes to your site that are made during hours you are sleeping, or from unrecognized IP addresses should be an immediate red flag.

Screenshot 2

OSSEC is a free tool I use to monitor changes in real-time to my sites. If a hacker gets through my defenses and manages to make changes, I’m immediately alerted. If the change was fraudulent, I can restore the compromised from a safe backup – safeguarding future customers from being compromised.

Then, it’s time to dig into the logs. Once I know who altered the file, I can block their access.

9. Regular Site Backups ARE MANDATORY

How often are you backing up your website? If your answer is less than every 24 hours, you’re asking for trouble.

If someone manages to hack into your site, you need to be able to restore it quickly to prevent extended interruptions to your customers. Rebuilding lost resources takes hours, and possibly days. Restoring from a backup takes a few mouse clicks.

10. When Transmitting to and From Your Site, Encrypted Data is Secure Data

If someone stole your letter from the mailman, would they be able to read it? If you sent your letter using a code that only you and the intended recipient know, it’s virtually impossible for the thief to gather any usable information. Your information is safe, even though it was intercepted.

To secure the information sent between your website and your customer’s computer, you need to use encryption on your site. This is done with a Secure Socket Layer (SSL) certificate that is unique to your site. To create one, you’ll need to:

  1. Purchase an SSL Certificate from a reputable vendor. This does not create the certificate – you’ll need to complete the following steps before you’ll have a usable certificate. Payment simply gets the ball rolling.
  2. Submit a certificate request form.This involves verifying your identity, billing address, phone number, and legal ownership of your website.
  3. If you intend to install the certificate on a server that you own, you’ll need to generate a certificate signing-request (CSR). For shared hosting or managed solutions, this step will need to be completed by the owner of your server – something they are already very familiar with and can quickly complete on your behalf.
  4. If you own your server, you’ll need to download the files for your SSL Certificate and install them onto your server. Most managed hosting or shared server providers will complete this step on your behalf.

At this stage, you’ve encrypted the communication between your site and the outside world. This is a HUGE step towards a safer customer experience – and the added trust badge will help contribute to customer loyalty and trust.

Don’t believe me? Don’t take my word for it. Here are the numbers, courtesy of DigiCert – showcasing the power of completing the process of securing an extended verification (EV) SSL..

Certificates Matter

[Image Source]

71% of Merchant Losses Attributed to Friendly Fraud

Friendly fraud is a type of credit card fraud where a legitimate customer interacts with your ecommerce site, makes a purchase, and then changes their mind later. Instead of adhering to your return policy, they submit a chargeback through their credit card provider.

Payment Fraud

[Image Source]

This type of fraud makes up 71 percent of merchant losses (LexisNexis). To help understand and combat this type of fraud, you need to take the following actions:

  1. Ask the credit card companies you accept to provide you with a detailed list of their chargeback codes – these are the codes you’ll see when a chargeback is initiated against your merchant account.
  2. If a chargeback is related to a product issue (i.e. the customer claims the item wasn’t as described), it’s time to dig into how your company fulfills orders. Something likely went wrong, and it will continue costing you money until it’s resolved.
  3. Ensure that your charges are being notated properly on your customer’s credit card statements. A descriptive title, along with your customer service phone number, is a great way to cut down on forgetful customers charging back transactions that they don’t recognize on their statement.
  4. Use tracking numbers when shipping orders, and provide customers with this number. Proof of delivery be important when fighting an unjustified chargeback.
  5. Ban the billing address of customers that submit unreasonable or fraudulent chargebacks. This should be handled on a case-by-case basis; remember, customers make innocent mistakes. But high-risk customers need to be blocked from submitting orders on your site.

Have you been the victim of an attack? How did you repair and prevent future attacks?

I look forward to learning about your personal experiences in the comment section below.