The Heartbleed bug has a lot of e-commerce providers worried about security – with good reason. (If you’re not up to speed on the details of Heartbleed, check out our article here.) If you’re not protecting yourself and your store, you should be. So here are our top tips for keeping hackers and cyber-criminals out of your online store (and away from your passwords, credit card information and other sensitive data).
#1: Make sure your ecommerce platform is secure. Use a reputable open source platform like Magento, Zencart or OSCommerce.
#2: Stay PCI compliant, and use secure online checkout connections. Web-based attacks are on the rise, so it’s vital that you maintain a valid SSL certificate. For an extra layer of security, install the Extended Variation Secure Sockets Layer (EV SSL), SSL security seal and URL green bar to give your customers extra peace of mind.
#3: Don’t store customers’ sensitive data. It might seem convenient to store credit card information, but the risks outweigh the benefits. Keep just enough data on file for refunds and charge-backs, and don’t store credit card numbers, expiration dates or verification codes. Your customers will thank you in the long run.
#4: Verify addresses and cards. A card verification value (CVV) system and address verification system (AVS) will help reduce fraudulent charges.
#5: Require that customers create strong passwords. Don’t let your customers get away with creating weak, easily-guessed passwords – set up a system that helps them develop complex logins. Require a certain number of characters and a certain amount of symbols and figures, and stick to your guns.
#6: Set up suspicious activity alerts. Multiple suspicious transactions coming from the same IP address, orders placed by the same person but different credit card numbers, orders with inconsistent names, different area codes on the phone number and the billing address – these are a few red flags that should alert your system to suspicious activity.
#7: Install different layers of security. Start with a good set of firewalls – then move on to login boxes, contact forms and search queries. The more security layers you have, the less likely you are to sustain attacks via SQL injection and cross-site scripting.
#8: Educate your employees. Security training is your friend. Make sure your staff knows not to email, text or instant message sensitive customer data, and keep them up-to-date on your latest security policies and practices.
#9: Always use tracking numbers. You’ll cut down on chargeback fraud and make sure each shipment is properly documented.
#10: Monitor, monitor, monitor. Ideally, you’ll be working with a hosting provider that offers comprehensive security management and monitoring, including analytics. If you’re handling this end of things yourself, download tools like Clicky and Woopra, which allow you to track suspicious or fraudulent behavior on your site. Also, make sure you’re regularly sweeping your site and server for viruses and malware. If you and/or your hosting provider aren’t performing daily scans, you’re laying yourself open to attack.
#11: Get regular PCI scans. It’s like your annual doctor’s checkup – except once every quarter. Use a service like Trustwave to scan your site and lessen your risk of hacking attepts – and if you’re using a third-party platform like Magento, make sure you regularly download the latest versions and security patches.
#12: Speaking of patches...patch everything. As soon as a new patch comes out for one of your systems, install it. Your server, Web apps, e-commerce platform...patch it all. (Again, if you have a good hosting provider, they should be able to take care of this for you.)
#13: Back it up.
#14: Back it up.
#15: Back everything up. Get the picture?
For more tips on online security and security for Magento, read our posts here.