How secure is your e-commerce website?
Protection against hackers and data thieves must be a priority for any Internet retailer, especially in light of security software provider Symantec's most recent Internet Security Threat Report, in which 429 million personal records were exposed as a result of cyber attacks in 2015. In addition, nine mega-breaches – singular attacks exposing over 10 million records – were reported that year.
And this was only the threats Symantec was able to track. The company expects the actual number of breaches to be more than half a billion. This discrepancy results from the fact that an increased number of companies – 85 percent more than in 2014 – did not report the number of records compromised during a security attack.
Symantec also reported that the number of web attacks against individuals in 2015 averaged one million threats per day. This is because 78 percent of what the company called "legitimate websites" had security vulnerabilities – this is up from 76 percent in 2014. Fifteen percent of legitimate websites had critical risks, making them incredibly easy targets for cyber criminals. While this number is not exactly good news, it is lower than the number of critically vulnerable websites found in 2014. At that time, 20 percent of websites had highly dangerous vulnerabilities.
In light of this research, business leaders must ask themselves what they must do to maintain a secure website. The following two steps go a long way toward making online stores safe:
1. Use HTTPS, not HTTP
HTTP stands for Hyper Text Transfer Protocol and describes the way data is sent between your website and the viewer's browser. HTTPS – Hyper Text Transfer Protocol Secure – adds protection via TSL. TSL stands for the Transport Layer Security protocol, and the term is used interchangeably with its predecessor, SSL. This protocol protects websites in three key ways, as Google explained. First, it encrypts the data that passes back and forth between a server and a browser. Second, it ensures this data cannot be manipulated as it travels. Finally, it authenticates a website, proving to users that the web page they're interacting with is from the company they expect.
Without the TSL protocol, anyone can view the data users send to a website and vice versa. They can alter this information and show users something unauthorized, or redirect viewers to a false website designed to look like an official one. This last tactic is often used in phishing attacks to trick unsuspecting consumers into handing over their personal or payment information to unauthorized parties.
While HTTPS is incredibly important for web pages with forms – for example, login pages or online checkout – Search Engine Land noted it also provides more accurate reporting for analytics programs. In addition, using HTTPS is beneficial for search engine optimization as Google gives websites with this protocol a slight boost in ranking. The lock icon that appears in the address bar of sites with the secure protocol also works as a symbol that puts users at ease.
To make the switch to HTTPS, business leaders or web developers must purchase a TSL certificate from their web host, install it on their server and select the pages they want protected.
2. Outsource payment processes to PCI-compliant third parties
Using a separate payment processor makes it easy for companies to accept orders from online customers. However, business leaders must be certain these third party organizations place a heavy emphasis on security. The best way to do so is to use a processor that is compliant with the Payment Card Industry Data Security Standards. These guidelines dictate the measures businesses must take when handling card payments. They include steps such as establishing and maintaining secure networks, using firewalls, restricting access to cardholder information and creating custom passwords.
Although businesses aren't legally required to adhere to PCI standards, the guidelines apply to any company that handles card data. If an organization doesn't take steps to become compliant and get validated by a Qualified Security Assessor (QSA), it can be liable for any fees and damages as a result of a data breach.
PCI-compliant payment processors are especially beneficial because they minimize the number of steps a business must take to adhere to PCI standards. If even some of a customer's payment information passes through or is stored on the processor's servers, businesses don't have to worry about securing this data, according to PCI standards. Ultimately, a secure third-party processor eases both the burden of compliance and the difficulty of accepting online payments.
The consequences of an insecure website, as indicated by the multitude of attacks Symantec recorded, are too dire to ignore. While it's not the easiest part of establishing a business, security remains an important step in running an online store and gaining the trust of customers.
Brought to you by PacNet Services, your one-stop global payment processing solution.