Digital transformation—two words that each bubble with power (and a little overuse). Despite whatever emotions surface on hearing those two words, you need to understand what they mean for your consumer business to succeed in today’s new digital order. You own the challenge of guiding your business through change and disruption to come out on the other side transformed and thriving.
E-commerce might as well drop its “e” as more commercial businesses survive by moving online, in whole or part, to stay competitive. Even businesses that succeed with brick-and-mortar storefronts rely on customers browsing or competitively shopping online. Maintaining a high level of security while establishing, running, or transferring to a digital business is a challenge. Traditional brick-and-mortar companies now have to adapt to convenient digital shopping carts, 24-hour availability, an endless selection from virtual storehouses, fast shipping, and branded blogs hosted in the cloud and tied together by a ball of rubber bands we call APIs.
The best way to secure your online or cloud-based business is to build security in from the start. New platforms, solutions, and application-based infrastructures require new ways of thinking. New pitfalls await companies entering cloud-based businesses. If you aren’t starting a newborn e-business, these cloud-based security considerations stand. Do a thorough audit and update of your security environment and consider updating or supplementing existing tools. (These guidelines should help!)
Regardless of whether you are newly born to e-commerce, old hat, or migrating existing businesses, here are specific e-commerce security vulnerabilities and practices you’ll want to pay close attention to. Not watching security is like boring holes in the structures that keep your business afloat.Sharing Responsibility for Your Security
Security is not automatic in the cloud. Cloud providers provide basic infrastructure security and physical security for the servers your code will execute on. However, you’re always responsible for the security of any data held in the cloud and web applications that touch your business and services. Ignoring this shared responsibility is a common cause of major data breaches like Walmart’s 2018 breach.
Amazon Web Services (AWS) has a published shared responsibility model, which every AWS client should read. (You can find it in their Security Best Practices white paper.) As more services are added to AWS, security complexity rises—questions, responsibilities, solutions, et al.—and the points where vulnerabilities may appear will increase in frequency and complexity, too. Get to know the shared responsibility model well so you can plan in advance how to put it to use effectively for your applications.
Once you know your responsibility, you need to invest in truly effective solutions that are designed for e-commerce. Namely: the right cloud-designed security tools that work with your infrastructure paired with good dev-side security testing. Ease-of-use should be paramount without sacrificing security, so look for automation and strong UI. If you won’t use a solution, it’s not really a solution.
Business changes as quickly as the data coming and going from the cloud. Keep your security as targeted and agile as your business models. You don’t have to sacrifice speed or performance for security provided you have the right tools for your environment, configured to the objectives, and easily implemented and fully adopted by your practitioners.
- API and microservices security
Security tools need to operate at the application layer, where traffic is most diverse in content and source. Be sure your security solution is designed to dive deep into layer-7 applications and can really get into application payloads.
- Container friendly
Be sure your security solutions work with containerized architecture.
The digital world changes quickly. Be sure your solutions can scale with autoscaling or varying traffic loads.
Your security needs to be able to operate in multiple locations and adjust to seasonal (or sales/event-related) spikes in traffic.
- Tool affinity
Be sure that your tools are friendly with your other security tools and interfaces. Look for AI or neural networks that can help learn from your traffic so they get smarter as you grow.
Automation can help with larger data loads, noise reduction, and save your teams time on administration and oversight. Without the heavy lifting and false-positives, your security practitioners can move vulnerabilities into fixes for stronger code and better security, quickly.
If you are producing your own e-commerce applications, protect yourself before you go to market. An intelligent tool that fits into your pipeline can monitor for threats and abnormalities in your own code. Once in production, vulnerabilities not only become more dangerous, they become much more costly and time-consuming to fix or recover from, should they lead to attacks or breaches. When looking for a DevOps security tool, look for the following:
- Toolchain friendly
Find a solution that works easily with your existing toolchain. If you are going to replace your entire security toolset, you should still look for solutions that are designed to be adaptive and allow customization throughout your infrastructure. Tools should help your workflow, not stymie it in unnecessary brand territory grabs.
- In CI/CD pipeline
A tool that isn’t adopted or hinders flows, is as good as useless. Make sure all security solutions sit comfortably in your pipeline and don’t require oversight, tuning, or heavy-lifting in deployment or maintenance that will decelerate work or deter adoption.
- Truly automated security testing
To keep up with the speed of CI/CD workflows and the enormity of data loads and respective complexity, look for automation. Check to see that automation doesn’t, in reality, introduce lots of manual labor or administration time. Automation can also save in costs and work fatigue, taking on the tedious tasks formerly assigned to high-level security.
- Comprehensive testing
Check that any DevOps security testing solutions are drawing from the best, most-updated libraries and using advanced detection technologies to comprehensively dig into payloads, where it counts. All new code should be inspected before launch. To avoid drag, find solutions that do not check the already-secured code but target new code only. Look for solutions that intelligently, accurately flag vulnerabilities and anomalies.
- Easy UI and Reporting
Usability is critical to keeping workflows moving. Look for easy-to-read reporting, flagging, and UI. This allows you to deliver problems that matter to developers quickly with little security expertise required on the dev side.
Invest in the right tools to expose sensitive data and security weaknesses. Fix issues as they arise while building your applications instead of tacking security on at the end. Build security into your CI/CD process to alert you early and often to security problems in your code.Common Risks for E-Commerce Businesses
Every industry has unique risks and security pitfalls to avoid. Let’s take a look at some security risks common to e-commerce businesses and how to prevent them.
Don’t let hackers undermine the legitimate customer data your business hinges on. Account takeover occurs when a malicious hacker steals a legitimate user’s credentials for a site and uses them to perform actions the user didn’t intend. Account takeover is a persistently serious issue for e-commerce businesses, causing $5.1 billion in losses in 2017 alone.
Phishing attacks are a major cause of account takeover. Attackers email users by impersonating a brand— going so far as to steal real brand logos or slightly dissimilar URLs to look legitimate. You’ve probably received one of these phishing attempts in your own inbox.
Phishing emails often ask for the user’s credentials or personal data using social engineering tactics, like fear and urgency. They may claim to protect the targeted customer.
For example, an email may claim a user’s account will be shut down or compromised if they don’t authenticate their account or transactions by entering their username and password immediately. “Your data may have been compromised. In order to check on potential fraud to your account, please login here with your name and password.”
Or, they may promise rewards or discounts in exchange for entering personal data, like a social security number. “You’ve been preselected for a federal loan consolidation program based on your student debt and credit rating. Please enter your social security number to access this limited time relief program.”
What can you do to avoid phishing attacks on your customers? The best way to protect users is to educate them. Clearly inform them up front that you will never ask for passwords or personal data, except as defined by your business. More proactively, consider educating customers on phishing attacks before attacks occur using your brand. You’ll help your branding by presenting yourself as a responsible steward of their data and bolster your system security at the same time.Back all user education initiatives with technical steps to keep user data safe. Here are some to consider:
- Monitor login attempts and user behavior for suspicious activity
- IP blacklisting
- Limiting login attempts
- AI-based bot detection software
Bonus Promos Abuse
No good deed goes unpunished, as skeptics and shrewd businessmen may say. Bonuses are important tools for building a loyal customer base and attracting new customers. Unfortunately, some malicious users attempt to abuse bonuses to steal more value than they have a right to.
Promo abuse is often seen when users create multiple accounts to try to take advantage of the promo over and over again. Elon Musk shut down Tesla’s referral promo when some owners paid for Google ads promoting their codes. One Uber rider gamed their promo code system and gathered $50,000 in free rides. Don’t let thieves spoil the spoils. Stopping promo codes completely is a cost to your business and can limit customer goodwill initiatives. Opt to create processes and tools to monitor for suspicious activity and shut it down. There are a number of ways to do this.
The simplest solution for promo abuse is to limit accounts:
- Track the user’s device and IP address.
- Add to your terms and conditions that opening accounts from the same device is a violation.
- Block users from attempting to open multiple accounts from the same device.
A less invasive option is to use behavioral analytics to watch new accounts for suspicious behavior, such as sending out referrals immediately without looking at any products. Depending on your business model and how aggressively you want to pursue promos, you can apply parameters for limiting and monitoring accounts.
The Good, the Bot, and the Ugly
Small, automated software programs—or bots—have made a multitude of tedious tasks easier to complete in less time. They are usually streamlined for very specific functions. Search engines use bots to scan and index web pages on the Internet. Chatbots make customer support easier for e-commerce and SAAS companies. Bots can monitor websites for performance problems or tell you the news and weather on demand.
Not all bots have your best interest at heart. Many bots have been created to create an unfair competitive advantage. Some predatory bots can scrape a site for inventory and prices to underbid vendors based on this insider knowledge. Other bots are maliciously designed to attack a site.
A particularly ugly bot of late is designed to perform account takeover attacks. They can be used to buy products with stolen credit card numbers or buy out your inventory in order to sell items for higher prices elsewhere. They can also be used to perform distributed denial of service (DDoS) attacks against your site.
As with any relationship, there is an innate vulnerability that comes with using an outside service. Using third-party bot software to provide customer service makes a lot of business sense, providing the vendor is good about security. Make sure all your bot vendors follow strong security practices. A careless bot vendor could result in having your customers’ data stolen by attacking the insecure bot software.
What is the best defense against bot-based attacks? AI, or machine learning, is probably the most powerful tool to prevent bot attacks. Only monitoring for known vulnerabilities can fall short of bots, which operate like non-malicious bots from a surface view. Machine learning can monitor traffic over time, creating a baseline of normal behavior. Behavioral analytics tools so determine what normal behavior looks like and then flags behavior that deviates as abnormal. That abnormal behavior could easily be a malicious bot.
Using intelligent solutions also means that your tools can get smarter as they grow with you. It can learn from both experiencing your traffic and learning from how you respond to alerts and flags. And, your developers will learn with it, seeing weaknesses in the code before it’s too late. Build protection into your applications that alert when bots are detected so they can be blocked quickly.
Navigating the Compliance Landscape
E-commerce businesses have to think about compliance and regulations early in planning for any online presence. The number of regulations to be followed will undoubtedly increase over time as more governments notice the importance of privacy and security for end users. Insurance companies struggling with how to think about data privacy and protection are also pushing the needle for stricter security accountability on the part of business owners.
Let’s dive into some specific regulations you have to plan for in an e-commerce business.
Managing PCI Compliance
Every e-commerce business should think about PCI compliance early—and check compliance regularly. (PCI, or PCI DSS, is shorthand for Payment Card Identity Data Security Standard.) The digital world is constantly evolving. PCI compliance is especially challenging for e-commerce because of continually shifting requirements based on how companies may transmit, store, and process payment card information. New payment forms, methods, and landscapes are continually being introduced. And your business needs to keep up. A company like Apple can introduce new payment methods without thinking of every e-commerce storefront that will feel the benefit of quickly adopting it.
Let’s use integrating with PayPal as an example. PayPal is what PCI refers to as a Payment Service Provider—or PSP. PSPs have a direct relationship with credit card companies and banks. They do the “dirty work” of processing the credit card transactions between a vendor and consumer. Using payment gateways like PayPal can simplify your compliance requirements under PCI. Unfortunately, simplification isn’t the same as doing away with compliance.Using PSPs doesn’t absolve you of all responsibility for PCI compliance. Variations in infrastructure or processes can determine compliance—and, in reality, your vulnerability to attacks and breaches. Technical details unwaveringly affect what you need to do to remain compliant. Let’s examine two basic scenarios that change PCI compliance when using PayPal as an example of PSP use:
- 100% redirect to PayPal – Compliance Guaranteed
In this case, a user is never entering their credit card info into your site. (Possession is 9/10ths of the law.) All payment information is redirected to PayPal.The form they fill out is 100% on PayPal’s site.
Your part is then only to validate the payment using the 14-question SAQ A and you remain PCI compliant. You don’t need the normally mandated security scanning or a yearly penetration test (though we recommend them).
- Hosting PayPal API’s – Compliance Not Guaranteed
A PSP does not ensure compliance. If you create your own form, host it on your own website, and use PayPal’s APIs to process credit card information, your obligation under PCI increases dramatically.
You need to validate using the 139-question SAQ A-EP. Quarterly scans with annual penetration testing are required. Make sure any security provider or tools are contributing to that compliance. Even though you’re using PayPal to process payments, you’re taking more risk on your shoulders. Take extra precautions to prevent attackers from stealing payment card data and meet PCI DSS.
Check out PCI’s e-commerce best practices to see what your business will need.
APIs are invaluable for making highly adaptive, quick-responding, multi-functional e-commerce landscapes for businesses. They also come with added responsibility, which includes additional security testing that should function at the application level. For payment processing, consider the costs and benefits of hosting payments on your site with APIs or using a PSP.GDPR and Other Regulations
As governments get wind of the downsides of the connected world brought forth by the Internet, more regulations will be coming. GDPR was the start of strong regulation of the privacy and data of end users, but it isn’t the last.
A great article by Yottaa outlines the steps e-commerce businesses can take to become GDPR compliant:
- Get a strong, compliance-friendly data protection solution
Outside of GDPR, securing data privacy is invaluable. While GDPR will demand you have certain protections in place, these requirements are in many ways a common-sense measure. Don’t wait for regulations to take place locally to secure data privacy.
- Determine the financial significance of GDPR to your business
Determine how many of your customers live in the European Union and the impact of GDPR on your business.
- Consider blocking EU visitors
Always consider having a strong, comprehensive security solution in place to ensure data privacy. If you aren’t 100% sure your systems and the systems of your third-party providers are GDPR compliant, consider blocking EU traffic temporarily until proper measures are in place.
- Audit your current data collection
Understand what data you’re collecting. Limit data collection to the essential information on users, not superfluous or highly sensitive data unless absolutely necessary. Never share or sell client data. Protect all data collection points and storage.
4 options for long-term GDPR compliance:
- Data approval and transparency
Create user areas wherever there is data collection where users can explicitly opt-in to you using their data. Be transparent and disclose how data will or will not be used. (This is also very good for building consumer trust and expanding customer goodwill.)
- Rich site or basic site
Never lose a lead. User behavior shows that consumers may go to a site several times before sharing information, buying or actioning on an item, or even looking to find a brick-and-mortar store for an online business. You cannot force a customer to give you data. Build an experience for shoppers who decline to give you data or use their data. It’ll be stripped down without cookies or any tracking mechanisms, but they can still shop at your site.
- Customized site based on data selections
As your company matures, customers continue to visit your site, or conversion actions are triggered, provide EU users with the option to opt-in or out of individual data collection practices. Trying to force data collection may work to generate leads, but can also lead to GDPR fines or loss of consumer trust.
- Seamless and GDPR-compliant shopping experience
In this option, you don’t present the user with a landing page full of opt-ins, but allow them to browse freely until they reach a point where tracking is necessary. You can then present them with the option to opt-in or opt-out within the shopping experience. This is the best solution to not chase users away with landing pages or downgraded sites.
Regardless of your long-term strategy, GDPR and other regulations will have an impact on your e-commerce site. Don’t wait to determine the impact of GDPR and up and coming regulations such as CCPA. These sorts of regulations come from legitimate concern for and awareness of the potential damage to consumers when their data is misused or breached.
NIST Compliance and Certification
The National Institute of Standards and Technology (NIST) provides IT security standards for the United States government and government contractors. Compliance isn’t a hardline requirement for every business, but it is a good practice.
NIST’s standards are high and thorough. A business compliant with NIST standards is complying with the minimum standards that government systems must comply with. NIST certification demonstrates that you take security seriously and use industry best practices to keep your customers safe.End User AuthenticationThe prevalence of account takeover attacks has encouraged companies to find stronger and multiply-sourced authentication practices. Authentication is the practice of identifying and verifying someone in a digital format.
Popular authentication practices are:
- 2-factor authentication
- One-time password generators
- Push notifications
Many e-commerce companies are moving to two-factor authentication options and/or biometrics to better combat account takeovers (think of your fingerprint or facial recognition locks on smartphones which are used to access the phone, apps, or verify mobile transactions.). Two-factor authentication forces the user to provide two proofs of identity. Users are prompted to register or confirm who they are using two forms of identification, like a password and code texted or emailed to them.
In two-factor authentication, a password is often the first go-to factor offered to the user by e-commerce sites. There are a lot of options for verifying through the second factor. A popular form of authentication can be a one-time password generator or a FIDO key.
One-time password generators often take the form of phone apps, like Google Authenticator, and verify possession of the device being used for the first time. It helps identify users across devices and recognize legitimate sources of customer actions. USB keys such as Yubikey are popular options for FIDO keys. FIDO uses public key cryptography to ensure no one else has possession of a particular key.
Despite the popularity of biometrics, they are not foolproof and can be prone to false positives. No matter what security authentication factors, services, or practices you use, stay vigilant on security risks. Always consider your risk tolerance when deciding on identity authentication systems for high-security transactions.
Software installed on the user’s device can send push notifications to the user on login. These notifications have the time and the IP address of the login and ask the user to verify whether they were the ones who initiated the login attempt.
Finally, user behavior analytics can be used to authenticate identity to some degree. Abnormal user behavior, including location and times of use, can signify fraud. For example, analytics can track the IP addresses and times of the day users typically login. A login attempt from a strange place or at a strange time, like 3:00 AM, can be used to trigger a block on the login attempt and/or an email to the user to verify the legitimacy of the transaction. Banking and credit cards have been using this sort of analytics-based behavioral analysis to fight fraud for decades. Activity in another country or abnormally high-ticket purchases are common triggers for fraud alerts.
E-commerce is particularly susceptible to account takeovers or fraud activity. Invest in tools and best practices that help ensure user identity. Newer technology, like advanced, real-time analytics and machine learning that monitors for abnormal user behavior can help. Smart encryption and authentication mechanisms built into development cycles, authentication tools, and API-focused security tools can also reduce the risk of account takeover and other security issues.Five Steps to Secure Your E-Commerce Business Now
5 Steps to for eCommerce Security
Let’s summarize with five key steps you need to take to secure your ecommerce business.
- Take security responsibility
Understand your shared responsibility in cloud security.
- Protect APIs & processing logic
E-commerce relies heavily on third party vendors and web applications to handle everything from mailings and blogs to payments and shipping. That means both your own data and that of your customers is a tasty target for hackers and seriously bad PR and recovery if otherwise breached. Make sure your APIs and processing logic are well-covered.
Finding API-level security solutions is part of finding e-commerce minded solutions.
- Understand methods of attack facing e-commerce
Protect your business and its customers against account takeover, bonus promo abuse, and malicious bots.
- Data privacy and compliance
Actively protect, limit, and educate around data privacy. Follow PCI compliance requirements. The right tools will help.
- Be ready for regulations
Prepare for increasing regulations like GDPR and CCPA that govern what you’re allowed to do with customer data. They’re also good guidelines for security, even if you are not obligated to them.
- Take authentication further
Enable strong authentication mechanisms, such as two-factor authentication and user behavior analytics.
The threat landscape for e-commerce is constantly changing. Implement the five steps above to keep your applications and customers safe. Keep your customers’ safety a priority in your business, and you’ll never run out of them.