You are responsible for those who buy from you: 8 tips for store security
Small business owners fondly believe that their revenues and customer base are not enough to attract intruders, but statistics on cyber attacks says otherwise. The year of 2017 already marked a point of 164% increase in stolen, lost or compromised records compared to the previous year. Most of the breches fall within internet security breaches. Relatively 43% of cyber attacks target small business.
What happens if you neglect precautions and leave your store unprotected? All scenarios are equally unpleasant. You can either lose money directly, or expose your customers and lose them as a result.
Small or big, online business requires people to trust them their personal information. Customers carelessly accept the risks of paying online and give stores and merchants their card numbers and PayPal account details. There are two parties involved in the deal, but the merchant is the one that is expected to take security measures. In the following article, we will talk about effective ways to protect your online store.
Worst cases of security breaches
The cases are numerous but we will focus on the ones that concern ecommerce giants.
- Yahoo — 3 billion user accounts affected in 2013-2014. Data breach compromised names, email addresses, dates of birth and telephone numbers. The damage cost reached $350 million. It all happened because of the bcrypt algorithm that went unnoticed.
- eBay — 145 million user accounts exposed in 2014. Leaked employee login information provided hackers the access to customer database for half a year. It resulted in exposed customer data, including email addresses, passwords, and real names, and decline in user activity. The reason for the incident was poor mechanism of password security and renewal, and lack of customer notification.
- Target Stores — 110 million accounts involved. The breach wasn’t discovered right away, and intruders had a few weeks to gain access to credit card and contact information. The intrusion cost $162 million. The intrusion cost the company $162 million, and happened right before Black Friday weekend.
- Sony PlayStation Network — 77 million accounts compromised. This fraud, with losses of $171 million and site being down for a few weeks, is recognized as the worst ever in gaming community. Leaked data contained 10 million unencrypted credit card numbers and full customer information, including purchasing history and login credentials. The hackers started to use stolen credit card details, and after that the fraud become clear.
Key practices for customer data security
Every security breach is possible to prevent, but not always to fix. Correctly implemented security software combined with understanding of your business soft spots is the recipe for reliable protection. Here are the components:
Update ecommerce software and install security patches
Before taking any extra security steps, make sure you have the latest CMS version of your platform and have all security patches installed as soon as they are released. Don’t put off the updates for later. It helps to cover common security issues of the CMS you use on time.
Secure payments and monitor them
Make sure you accept payments through verified systems that have secure transaction channels and require additional authorisation. Any seller of any size must be PCI compliant to accept electronic payments, and if you work with a big payment provider, they can handle it for you. PCI DSS means “Payment Card Industry Data Security Standard” and indicates that service provider meets the official requirements of PCI compliance. Setting limits for the payments and monitoring transaction sizes and frequency can also serve you well. You are the expert in your business and know your customer behaviour. You can set total value you accept from one account in one day and a limit for the number of purchases in a period of time. Therefore, you will notice if something is suspicious.
Add two-factor authentication
This is one of the most secure ways both for you and your customers to preserve personal information. With 2FA, thу system requires additional piece of personal information besides login and password to give access to the user. It can be a SMS-code, an answer to a secret question or any other information a user can provide immediately. It creates significant protection against unauthorised access to user accounts.
Demand stronger passwords
Password habits are often exploited by intruders. It takes only one weak password to gain admin authority and access to customer base, data and revenue. A strong password consists of more than 6 characters with the use of digits and letters in different registers. Require that all your customers and employees have complex passwords.
Control access to sensitive data
Online or not, security still depends on human factor in lots of cases. Pay special attention what kind of access your employees have to customer information and make sure they know the rules of using it. Educate them about how to detect malware, data stealing and suspicious user activity. Deactivate accounts of employees that no longer work for you to prevent information leaking outside the company.
Don’t store data you don’t need
Don’t collect more information about your customers than you will use. And when you do require lots of fields to be filled in, make sure you don’t store every single piece of sensitive information forever. It is better to trust handling, storing and processing of credit card details to PCI compliant service providers. Keeping this data saves a few seconds of customer’s time at the checkout, but this is never worth the risk. The more information you store, the more you have to offer to intruders that may break in. If you keep payment details of your customers, your database is a sweet spot and it will encourage consistent attacks. Are you sure you can handle it on your own?
Educate your customers
Your customers come to you to give money to you and get a product in return, and they expect this process to be organized properly. Make sure you give clear instructions about why you require this or that data from your customers. While asking for sensitive information, ensure customers are aware that you will not store or share it, and all transactions using that information will be encrypted.
Notify your customers when their data is in danger
If security breach happens, it should be one of the first steps to recover from it. Notify your customer in any way suitable for your platform: via email, push notifications or SMS. The earlier people know about how they can be affected, the faster they can take steps to prevent it. If you have fraud situation instructions for your customers, provide them.
What can we learn from the mistakes of others?
Some business owners only take serious precautions after the worst has already happened. Customer security is less obvious, but important part of customer experience, and taking your time and resources to enhance security situation of your store will pay off. For Magento store, a convenient way to cover the security needs of an online store as a whole is Security Suite Extension. It handles fraud, malware, suspicious activity and combines features that upgrade password policy and admin supervision. Remember that measures taken should not only protect what is yours, but make your store a better place to shop.