High Score Labs News   •   April 2, 2019

E-commerce is a fast-growing business segment. According to Statista, the annual growth of e-commerce retail sales is estimated at an average 20%. Since every customer must share personal data like their credit card information, bank accounts, and personal identifying information, the issue of payment security becomes critical. Generally speaking, all issues can be divided into two groups: managing personal identifiable information (PII) and technical issues.

Personal Identifiable Information (PII)

Fraud is one of the most common issues that ecommerce systems face today, meaning that the hacker has access to your credit card or other personal information. The hacker can then use your payment information to make purchases or they are able to sell it to other parties that will use the information maliciously. Phishing is another example of a type of fraud. Once the hacker has your PII, they can either use it or sell to a third party that will then send malicious emails attempting to cause you to, for example, provide your login information or your credit card information.

Technical issues

Every site can be the target of DDoS attack (Distributed Denial of Service) which means that they generate so many requests (simulating users) that the servers will not be able to handle the requests and often shut down. This is of course an issue as it effects legitimate users that wish to make purchases. Another technical threat can be software/applications. Malicious software may give access to customers’ private data. Poorly written software can also be easily exploitable and is all too common, given the rush to get new features added to an existing system and thinking about security only minimally.

How to prevent e-commerce issues?

There are several ways to minimize the risk in e-commerce.

A team that manages an ecommerce system can do a lot of things to save customers private data. Use of SSL certificates is not only considered basic 101, but this is because it provides a secure connection and prevents ‘man in the middle’ attacks/snooping. Google has been trying to encourage the internet to use SSL, especially when lack of SSL can adversely affect SEO rankings. Additionally, using a secure PCI compliant hosting provider that has a strict policy in processing and confirmation of payments will help drastically.

When allowing users to set up and maintain their own account on your system, setting a requirement of a complicated password that is not registered in a rainbow table (list of encrypted passwords and their unencrypted text) and is not simple, i.e., birth day, phone number, last name, etc, will help secure the system better. Also consider using 2 factor authentication, which will push a code to an app or as a text message, requiring that the user enter in their username, password and the text code before they can log in.

When the payment is made, requiring an address and then using the payment system to verify it, will help block any suspicious transactions or possibly stolen credit card numbers. Using a software and APIs from trusted suppliers, is of course another great way to minimize the risk of losing private data.