Running an online shop is not a simple job: you have to be your own marketer, webmaster, account manager and sales agent. And there is one more thing which you should be, but that many small business owners forget about: your own IT security manager.
eCommerce security is a very serious issue nowadays. You only need to think a little while back to remember the Apple Cloud leak, the Sony PlayStation user data theft, the Yahoo Mail security breach and, most recently, the Cloudflare breach. All these are prominent cases of cyber crime, but there are tens of thousands of others which go unreported. Most of the victims of such attacks are small eCommerce business owners like you.
Sadly, many of these attacks and subsequent losses could be prevented by implementing adequate security measures. And, once your online store has suffered one such attack, you will find it very hard to go back in business: your customers will lose confidence in sharing their credit card data with your website.
Today we will discuss the top security mistakes which are most frequently seen among small- and medium-sized online stores. They can be fixed easily and, while not guaranteeing 100% security, they certainly make it much harder for hackers and fraudsters to ruin your business.
- Using Your Personal Equipment for Managing the Website
There are so many reasons for keeping business and personal computers and mobile phones separate, such as tax deduction and protecting your personal assets from business liability. Here is another one: while your entire family may have access to your personal devices and unwittingly install a virus or malware on them, no one but you has access to the equipment you use for running your business.
This is one of the most common mistakes many small business owners make and it leaves them vulnerable in front of cyber attacks. Many viruses are silent – you do not notice any aberrant behaviour when working on your computer – but they quietly steal your login data, usernames, passwords and customer databases, and send them to the hacker to exploit.
- Mistaking Compliance for Security
We have already discussed about the Payment Card Industry compliance guidelines in a previous article. Here is the keyword you should pay attention to: guidelines. This set of rules represents a minimum best practice which all eCommerce operators must use. But they certainly do not cover the key security issues which online stores currently face.
Thus, by having a PCI-compliant website and shopping cart, what you really have is a business which operates according to a set of minimum rules provided by the law. They guarantee that your customers are dealing with a legitimate business, but they do not give your customers the full assurance that your website is secure unless you install security services.
- Failure to Get Protection from Attacks
There are two types of malicious attacks against websites which you should be protected against by investing in security software.
The distributed denial of service (DDoS) attack is when your website is flooded with traffic from various sources, taking up all its bandwidth and making it inaccessible for legitimate visitors. Such attacks are most frequently conducted by malicious competitors who want to put you out of the game.
The phishing attack is when you receive an email coming from an apparently legitimate source asking you for login data. If you respond to the email, the sender will gain access to your website backend and database, and may set up a similar-looking website (a phishing website) redirecting all your customers and stealing their credit card data.
- Not Implementing Credit Card Holder Verification at Checkout
Here is a truth you may not be aware of: there are many fraudsters using stolen credit cards to purchase goods. The problem is, banks quickly find out about this and they block the transaction and issue a chargeback – meaning that you have to repay the money you received for your products and shipment PLUS a fee. This means that you gave away your products for free and you also paid a penalty.
The simplest way to fix this is to require the cardholder to type in the CVS code (the three figure number printed on the back of the card). Most fraudsters do not have the physical stolen card, just the data, and the CVS number is never stored in online databases.
- Keeping Login Data in a Text Document
This is something which you should not do, even for your personal email accounts. A text document can be easily stolen by a data harvesting virus, plus you could accidentally make it available to a third party. If you must keep your login data written down to remember, use your agenda, a sticky note on a board in your home office – just not on the same computer and smartphone you use for managing your website.