eCommerce Security ChecklistSo far, 2015 has been a busy year from an eCommerce security standpoint.  At our shop, our ecommerce solutions are primarily built on the Magento platform, with a few smaller shops electing to use WordPress with an eCommerce plugin.  All the same – we have had to install many upgrades and patches over the last few months.  Given all the activity as of late – I thought I would throw together a quick eCommerce Security Checklist.  This article is for developers that might not be familiar with best practices for eCommerce security, or even online shop keepers that are wondering if they are doing everything they can to keep their store, and their customer’s data safe!  We hope you find this useful and if you feel we have missed anything, please feel free to add it to the comments!

1.  Secure your eCommerce Software

eCommerce Usage Data
This eCommerce usage chart was compiled by AheadWorks, a premium supplier of Magento Extensions. Check them out at AheadWorks.com

There are so many eCommerce platforms out there.  As I mentioned, most of our projects fall under Magento or WooCommerce – heavy on the Magento side.  As you can see in the chart on the right, Magento and WooCommerce make up close to half of all eCommerce platforms out there!  This means they are well respected and popular, but it also means they have a bit target on their backs.  Take every precaution to make sure your eCommerce software is updated and secure!  Below are some steps to help you do just that.

2. SSL Security

SSL Security ConsiderationsIf you use an eCommerce tool such as MagentoGo, Volusion or other hosted solution – you won’t have to worry too much about this.  If your site is self hosted, either on your own server, or a server your web developer set up, then you NEED to take these steps!

Note:  This section only applies if your site has an SSL certificate.  If you access your shop like this: https://www.myshop.com then you are using an SSL certificate.  If your site is processing transactions and taking credit card information under a regular http://www.myshop.com address, you are not using SSL.  If that is the case, you NEED to be using SSL.  Talk to your developer immediately and get this taken care of.  If your site only takes payments through third party services such as PayPal, and all transactions happen OFF of your site, then you have nothing to worry about and you can skip this SSL Security section altogether.

If you sell things online, AND you take credit card information ON your website, please make sure you have a proper SSL certificate installed.  Get with your developer or host and find out what to do.  You can even give us a shout and we would be glad to tell you what you need to do – or do it for you if you need us to.  As I said before – if your sales all happen somewhere else, such as PayPal, 2CheckOut, or something like that, then you don’t have anything to worry about.

3. Secure your Admin Panel

Admin Panel Security Steps
Keep this guy out of your site’s admin panel!

Some hacks happen through known vulnerabilities where hackers can exploit something as simple as an image directory that still has write access and upload their own files to gain access to your site.  Many times, however, hackers use known admin panel logins to simply log into your sites admin panel and then do whatever they want!. Don’t make it so easy on them!  Below are some steps you need to consider to secure your admin access.

4. Secure Transactions

Online Transaction Guidelines for eCommerce SecurityIn your store’s eCommerce settings – you have a lot of control over the types of transactions you allow, and how those transactions are processed.  Below are some things to consider when taking people’s money online:

5. PCI-DSS Auditing / Compliance

PCI-DSS Compliance for eCommerce Store OwnersThere are countless smaller shops out there that never give PCI-DSS compliance a second thought.  Unfortunately, even if you sell 1 item a year, if your site is hacked and that breach results in credit card numbers or other personal information being released into the wild, the Payment Card Institute can, and will come down on you.  If your site is established and is a regular part of your revenue stream, then you really have little excuse to ignore PCI-DSS compliance.  We don’t have time to go into what all is involved in PCI-DSS compliance in this article, but you can find out more here:  Why Comply with PCI Security Standards?

Final Thoughts

The biggest rule of thumb in dealing with your site’s security is to be PROactive and not reactive.  Spending half an hour installing that patch is much better than losing days trying to rebuild a site that has been hacked, defaced and trashed.  As bad as that is, it can always be worse.  If you operate a store and your customer’s data is stolen and used fraudulently – you could be looking at significant liability if they are able to trace the breach back to your site.  When you are dealing with eCommerce, security is simply too critical of an issue to take lightly.  We hope this has been helpful and again – if you have anything to add or share, please leave a comment!  That only makes the article more useful for others.

Leave a Reply

Your email address will not be published. Required fields are marked *