Learn Ecommerce Security Tips

Your company should have a general grasp on ecommerce security. Learn essential information about securing your online store against cyber threats.

What is Ecommerce Security?

Cyber attacks have increased in both frequency and sophistication. It's a scary situation, but not one that is going to get any better. In fact, I think the problem is only going to get worse. Protecting your ecommerce business against cyber threats is important. It's an area that more and more businesses are ignoring to their own peril.

This guide is part of the build an ecommerce brand track.

You can not afford to fall asleep at the wheel when running an online store, you hold valuable data and the online bad people want that information.

Before we get started, here are some important terms and acronyms you should know:

Personal Information.

Personally-identifiable data or personally-identifiable information (abbreviated PII), is any data that can be tied back to a specific individual, such as their name, address, telephone number, Social Security number, date of birth, credit card details and so on. It gets just a tad bit more complex as well. “Personal Data” refers to any type of information which can be used to identify an individual. This could include name, address, age, phone number, e-mail address, credit card details, login / password information, biometric data (such as a fingerprint or photo), and any other data that can be tied to an identifiable individual. Data Privacy Laws Like GDPR: Protecting Personal Data is Important Particularly When It Comes To Data Privacy Laws Like GDPR.


Malware and ransomware.

Malware, or “malicious software,” is a type of software installed on your computer system by an attacker. Malware is a type of software that does something nasty to your computer. It can be anything from slowing it down to crashing it. Often, malware will encrypt your files so you can't read them unless you pay a 'ransom' to the author of the malware. There are several signs your computer may be infected. If you experience any of these symptoms you should immediately read this guide which will explain what you should do to restore your PC to a clean state.

Links take you to other websites that are irrelevant to what you are reading.

You are being served a “trick” popup. These popups are usually accompanied by a loud noise and a jolt of your computer’s mouse or keyboard.

You don’t see any more pop-up ads after reading this book. In fact, you’ll discover how to make them disappear forever.

Your web site is not properly configured. It's either too slow, or it keeps crashing, or your browser frequently becomes unresponsive.

Some email addresses are invalid. If this happens to you, go into your email account and hit "refresh". That will send a new email to the address you're trying to reach.

SQL injection.

Your ecommerce site could be at risk if it is storing data in a SQL database insecurely. In this case, an attacker could gain access to your website’s source code and steal your customers’ credit card information. Validation is very important when it comes to SQL injection. By validating all user input, you prevent an attacker from compromising your site by injecting malicious queries.

What is Compliance, and How is it Different From Security?

1. There are two concepts that are often confused: (

2. Compliance, and (

3. Cybersecurity. In some ways, they are related, but there is a crucial distinction.

There are important differences but, in many ways, it's the same game.

Legality is one aspect of compliance, but there are many others. If you are involved in the health care industry, for example, you need to be concerned with issues such as HIPAA, ADA, FERPA and a long list of other government regulations as well as the various industry-specific regulations such as MLAA. However, meeting those web security standards does not necessarily mean your ecommerce site is fully secure. (Note that there are many web security standards your business may be required to adhere to. There are many other major, cybersecurity-related regulations that apply to website owners.

SSL secure website

The Biggest Security Threats to Your Ecommerce Site

There are so many different types and methods of cyber attack it would be almost impossible to cover them all in one blog post. But I'll do my best. If I missed anything important, please don't hesitate to email me at [email protected] And there are other "crazies" who think they're hot stuff when it comes to ecommerce. They'll tell you their secret "wish-list" techniques for making huge profits. Ignore them. They're not worth the time or your energy.

1. Phishing.

Social engineering is a type of security threat that relies on human behavior to succeed. This means that unlike many other types of security threats (like viruses or malware), it doesn’t need your computer or device to actually work. Instead, it relies on the natural human reaction to certain types of stimuli in order to trick users into doing something they wouldn’t normally do, like give out their private information.

Every once in a while, we might send you an e-mail with a link to your store that lets you make updates to your website. It'll be something like this... "Hey Paul, did you know your product listing for widget X is out of date? Don't trust anyone who contacts you for personal information unless they have been contacted by Amazon or BigCommerce themselves. Only contact customer support if you have questions about your account.

2. Multi-factor authentication (MFA), 2-factor authentication (2FA), or 2-step verification (2SV).

Multi-Factor Authentication (MFA), Two-Factor Authentication (2FA), and Two-Verification (2SV) are similar, but they have important differences. Here's a quick rundown of what they mean and when you should use each type of security measure. However, even with all these extra steps of security, people will still try to hack your site. That's why it is important to use as many of these extra layers of security as possible. By using the techniques described in this book, you'll make it much more difficult for malicious software (like spyware, adware, "hackers", and so on) to break through the security of your site.

Here's a very high-level explanation of the differences:

"2-Verification" (2SV) is a free feature that protects your Amazon accounts against unauthorized access. It requires users to enter a one-time code sent to their mobile device. This prevents someone from accessing your account even if they know your password.

2 Factor Authentication requires the user to use something they have (like their phone) as well as something they know (like their password). It increases security by requiring that someone not only prove they are who they say they are, but also that they are physically present at the computer using it.

2FA is similar to MFA but can refer to the implementation of multiple factors of authentication. For example, you could require that someone who tries to login to your site use both their username and their password as well as having an email sent to them containing a verification code.

home security monitoring

1. Payment Card Industry Data Security Standard (PCI DSS).

You don’t know what PCI DSS (or simply “PCI”) is, do you? If so, don’t worry, we’ll explain it in plain English right here. Think of it this way: PCI is sort of like the NFL for online transactions.

2. International Organisation for Standardization (ISO).

ISO is a standards setting organization that develops guidelines to ensure products and processes are safe and effective. It has nothing to do with the music group called "The Isos. As part of their certification process, one of their requirements is for the business to maintain a certain level of data security. By achieving this certification, it shows they have high-quality management systems, a risk-averse approach to business, and business practices that are highly standardized.

3. Distributed Denial of Service (DDoS).

Distributed Denial of Service (DDoS) attacks are attempts to shut down websites and services. It's done by attempting to overwhelm the site or service with so much traffic that it becomes impossible for the website owner or service provider to keep the site or service up and running. CloudFlare is a very effective DDoS protection service. It also provides more detailed information on DDoS attacks than any other company in the world. This resource compares CloudFlare to a traffic jam. A traffic jam can slow down your car, but it doesn't halt your car completely. So what you do is, you use your "back door" entrance which leads to an unoccupied section of sidewalk where your customers can’t be blocked out, by other customers or by the elements. This back entrance gives you a chance to start slowly, build a following, learn what your customers want and need, and then, when you are ready, you make the transition into the main street entrance and go full-steam ahead.

4. Phishing.

Phishing is a type of social engineering, and it refers to methods used by attackers to trick victims (typically via email, text, or phone) into giving out their private information. Often, this information is something the attacker can use to take over the victim's account, steal money, or cause other types of fraud.

When you set up your BigCommerce store, you had to provide your username and password. Those details will be safe, and you won’t receive any emails from us with links to your account that need to be updated. If you receive an email, phone call, or text from “BigCommerce” that includes personal information, do not reply or engage with the sender. Contact customer support immediately for validation.

5. Malware and ransomware.

Malware or ransomware infects your device or network when you are trying to access a website that is infected with malicious software. If this happens, you may become locked out of all your important data and systems. It's much cheaper to back up your website data regularly than to restore it from a disaster. However, doing so will help your website remain healthy and prevent many problems from arising in the first place. By not surfing the web with unknown or suspicious sites, you can be safer from an attack. Unknown or suspicious software can infect your computer.

6. Cross-site scripting (XSS).

Cross site scripting involves putting malicious code (often JavaScript) on another website. In many cases this will inject code onto your own website which is then executed by the victim. This type of attack is different than others. It doesn’t impact the site itself, but it would impact the users of that page — your shoppers — by exposing them to malware, phishing attempts, and more.

7. E-skimming.

One of the biggest concerns for anyone who runs an online business is security. Without it, you won’t have a chance at succeeding. That’s why you need to understand exactly what “e-skimming” is, and more importantly, how to prevent it from happening to you or your website. An attacker gets access to your site by performing a successful phishing attack, using brute force tactics, exploiting an XSS (Cross Site Scripting) vulnerability, or if they are very sophisticated, by compromising a third-party site on which you have an account. Once they have access, they watch your customers as they try to complete their orders, and capture their credit card details in real time.

Online cyber security protocols

The Key Takeaways

Bare basics – reducing the impact

  • Stay away from cybersecurity solutions offering a one solution approach. Whenever, wherever, whoever talks about providing 100% security to your business, you must tell your brain it’s best to avoid the argument and be ready for the next task in your schedule. They are not just too good to be true; you are also the soft target as an easy sell. Sorry, that’s the truth! We have multiple stories where CTOs and CIOs got sold to IT managed services providers (MSP) to take care of cybersecurity in their organisation, only to find it post-compromise that this was never agreed in pen and paper and nor delivered in substance.
  • Sign up for security alerts from the vendor – they are the most authentic source to update the latest changes, alerts and software updates.
  • Use separate credentials to regular staff logins for privilege tasks.
  • Ensure secure backups are routinely carried out. Randomly audit and test backup restore to ensure it works when you will need it.
  • Do not spend on high fee consultancies where basic hardening can be done without large investments of time and money. These include the use of security plugins from trusted parties offered on WordPress and other CMS plugin stores. Change default usernames for an administrator to something difficult to guess, and utilise strong non-dictionary, hard to guess passwords generated randomly.
  • Enforce the use of SSL/TLS encryption measures. These are easy to install and configure. For example, in WooCommerce, it is WooCommerce – Settings and Enable ‘Force Secure Checkout’. In Magento Commerce Cloud, you may need to wait for a few hours based on hosting providers support ticket system and processes.
  • Undertake regular in-depth security assessments such as our eCommerce penetration testing for applications to identify vulnerabilities affecting web applications, API, mobile applications. Web, Mobile or API security threats are some of the most dangerous risks to your business.
  • Keep multiple backups at secure sites.
  • Utilise Distributed denial of service (DDoS) service protections meant to help against attacks and website performance improvements. 
  • If short on security resources, arrange for continuous security scanning exercising utilising managed security services that provide you regular updates on whether your attack surface is shrinking or expanding with time. Any new threats are dealt with time to avoid large exposure windows for attackers.

Never relax until you have some bare minimum security protocols and protection in place. I hear that this is more for big stores but I tell you this even the smaller stores MUST be prepared for the worst, it just takes one unauthorised entry t compromise your entire business. Thats food for thought.

Pay a little now for peace of mind from here on out. Thats my advice to you and I hope you never have to go through a security data breach.

Topic Resources To Continue Learning

sales by numbers

Next Chapter

Previous Chapter

  • Ecommerce logistics and shipping
  • Ecommerce suppliers x vendors x manufactuers
shopify results

Pin It on Pinterest