Building Strong Ecommerce Website Security to Combat Online Attacks

Between processing payments and taking in personal information, ecommerce sites unfortunately are appealing targets for hackers.

There have been several high-profile data breaches in recent years and one report even identified 29% of ecommerce website traffic as having malicious intentions.

Needless to say, ecommerce website security is top of mind for any platform and business.

A breach can permanently damage a company’s reputation and eliminate customer trust. Customers expect the business to take on the burden of security. New ecommerce security threats are arising with increased frequency and cybercrimes are becoming common. 

Security is not something that’s nice to have, it’s something you have to have.

Ecommerce sites receive and store a large amount of online transactions and user data — data that is of particular interest to bad actors.

Retail was the most targeted sector for cyber attacks, according to the 2020 Trustwave Global Security Report. It’s a battle that never ends and is always evolving as new and more sophisticated ways to attack are developed.

It’s on the business to keep the site — and customers — safe and secure. Good security practices lead to good security protocols.

Although new methods are popping up with increased regularity, these remain the most common ways hackers target ecommerce platforms:

Phishing attacks.

Phishing is social engineering. Here, attackers obtain private information about a target and use it in an attempt to trick someone into providing important information such as bank account information or social security numbers.

Malware and ransomware attacks.

Malware and ransomware go back to the dial up modem days of the internet. Malware can significantly damage systems and ransomware can completely lock you out unless you pay a ransom, with no guarantee you’ll ever be able to get access again.

SQL injection.

If there are vulnerabilities in the database where you store sensitive information, a malicious query can be injected to give the attacker view or even edit rights.

Cross-site scripting (XSS).

XSS inserts malicious code into a website, typically through JavaScript. This may or may not impact the site itself, but could impact customers or visitors to the site.

E-skimming.

In e-skimming, hackers steal sensitive payment information, such as credit card numbers, from online shoppers. This is typically done by injecting malicious code into ecommerce websites or point-of-sale (POS) systems to steal credit card details as customers make purchases.

Distributed Denial of Service (DDoS) attacks.

A Distributed Denial of Service (DDoS) overloads a website with traffic from multiple sources, making it unavailable to users. In a DDoS attack, a large number of compromised devices are used to flood a website with traffic.

Brute force tactics.

Brute force attacks are used by hackers where an attacker attempts to guess a user's login password by systematically trying every possible combination until the correct one is found.

This method is time-consuming and requires a lot of computing power, but it can be successful if the password is weak or simple.

Request a Demo

Schedule time with us to walk through the BigCommerce platform.

Request a Demo

Not all security threats come from the outside. There are plenty of internal threats — some of them wholly unintentional — that ecommerce companies should be aware of.

Employee negligence.

It’s unfortunate, but many cybersecurity attacks succeed because of simple human negligence. This occurs when employees fail to follow established security policies and procedures, such as using weak passwords, clicking on suspicious links or attachments, or sharing sensitive information with unauthorized parties.

Employee sabotage.

On the other end of the spectrum from negligence is intentional sabotage. While there’s no sure-fire way of avoiding disgruntled employees, limiting access to sensitive data, enforcing strong password standards and having regular reviews of access will help mitigate damage.

Third-party insiders.

This expands employee sabotage to additional parties working with your company. Contractors, vendors or even customers may be exposed to attackers, who then bring that contagion into your systems.

Data breaches don’t just hit small businesses with limited resources. Even some of the world’s biggest brands have been negatively impacted.

adidas.

The global shoe company has been hit hard in the past. In 2018, the company’s U.S. website was impacted with customer contact information exposed.

Mercari.

Mercari is a Japanese ecommerce company that operates an online marketplace. In 2021, the company disclosed a major data breach incident.

Target.

Target’s ecommerce store was affected by one of the largest data breaches in history. In 2013, millions of customers were impacted by a cyber attack that exploited vulnerabilities in the company's payment gateway, allowing hackers to steal payment card information such as credit and debit card numbers, expiration dates and CVV codes.

Online businesses never want to be in the headlines for a security reason. Following these best practices will at least greatly reduce the chances of possible security issues.

Create a password policy for your company.

Require complex passwords that require at least eight characters, with a mix of upper and lowercase letters, numbers and symbols. This should be mandatory for employees and customers alike.

Limit access to sensitive data.

Sensitive data should only be accessible by users and systems that absolutely need it. The fewer access points, the better.

Routinely audit security vulnerabilities and conduct penetration tests.

The best way to defend against bots and hackers is to think like one. Conduct regular attack simulations and attempt to breach your own systems in real time. This will identify weak points before others take advantage of them.

Create a security plan for adding plugins and third-party integrations.

Take stock of what third-party systems are included in your tech stack and ensure that they are fully up-to-date. Identify the security of each and ensure that they meet your own security standards.

Ensure compliance with PCI-DSS regulations.

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of security standards that must be followed by any organization that accepts credit or debit card payments. PCI compliance is mandatory, so you should be up-to-date on any changes to the standards.

Choose a secure ecommerce platform.

All parts of your store should be prepared for the unique requirements of ecommerce. From payments to data storage to logistics, your entire tech stack should meet the highest security standards.

Use an SSL certificate.

Secure Sockets Layer (SSL) certificates are increasingly common in ecommerce and establish a secure, encrypted connection between a web server and browser.

The SSL certificate verifies the identity of the website, and the encryption technology ensures that any data transmitted between the server and the browser remains private and cannot be intercepted or tampered with.

Two-factor authentication.

By now, we’re all familiar with getting a code texted to us to log into a system. 2FA is much more common now and serves as a strong layer of defense and provides an additional step in confirming identities.

Keep your software up-to-date.

Software in your tech stack are likely to receive regular updates and patches, which will include additional security. Ensure all software is updated when necessary.

Train your employees and contractors on best practices.

Social engineering happens all the time and it’s on the company to train and inform their workforce of how to avoid attacks. Companies regularly test their employees with fake emails to see how receptive they are to phishing attacks.

Develop an incident response plan.

Though you may work to avoid all attacks, business owners should always be prepared for the worst. Have a fully realized response plan in the event of a breach, which should include identification, mitigation and communication.

There are standards — both legal and industry — that every ecommerce company will be expected to meet. This does not guarantee a secure platform, but meeting these does help protect customer information.

Payment Card Industry Data Security Standard (PCI-DSS).

Any entity that processes credit card transactions must meet PCI-DSS standards. These guidelines protect credit card information, from storage to checkout.

General Data Protection Regulation (GDPR).

The European Union enacted GDPR to protect the personal information of all EU citizens. This applies to businesses that exist outside the EU but sell to Europeans as well.

California Consumer Privacy Act (CCPA).

The CCPA is similar to the GDPR, but is specific to the state of California only. It’s the strictest standard currently in the United States.

Replatforming Guide: A Roadmap for Migrating Your Ecommerce Store

Make your ecommerce replatforming project a success with our step-by-step guide filled with best practices from enterprise migration experts.

Download Now

Security is vital for both keeping ecommerce businesses open and for keeping the trust of customers.

By voluntarily handing over personal information, they are trusting ecommerce companies to manage and protect customer data.

Whether it’s a Web Application Firewall (WAF), a Content Delivery Network (CDN) or protecting a customer’s credit card data, it’s on the online store to have stringent security measures in place.