May 2, 2024

Essential Tips for Magento Security





Small business owners fondly believe that their revenues and customer base are not enough to attract intruders, but statistics on cyber attacks says otherwise. The year 2017 already marked a point of 164% increase in stolen, lost, or compromised records compared to the previous year. Most of the breaches fall within internet security breaches.  Relatively 43% of cyber attacks target small businesses. What happens if you neglect precautions and leave your store unprotected? All scenarios  are equally unpleasant. You can either lose money directly or expose your customers and lose them as a result. Small or big, online business requires people to trust them their personal information. Customers carelessly accept the risks of paying online and give stores and merchants their card numbers and PayPal account details. There are two parties involved in the deal, but the merchant is the one that is expected to take security measures. In the following article, we will talk about effective ways to protect your online store.Worst cases of security breachesThe cases are numerous but we will focus on the ones that concern ecommerce giants.

  • Yahoo — 3 billion user accounts affected in 2013-2014. Data breach compromised names, email addresses, dates of birth and telephone numbers. The damage cost reached $350 million. It all happened because of the bcrypt algorithm that went unnoticed.
  • eBay — 145 million user accounts exposed in 2014. Leaked employee login information provided hackers the access to customer database for half a year. It resulted in exposed customer data, including email addresses, passwords, and real names, and decline in user activity. The reason for the incident was poor mechanism of password security and renewal, and lack of customer notification.
  • Target Stores — 110 million accounts involved. The breach wasn’t discovered right away, and intruders had a few weeks to gain access to credit card and contact information. The intrusion cost $162 million. The intrusion cost the company $162 million, and happened right before Black Friday weekend.
  • Sony PlayStation Network — 77 million accounts compromised. This fraud, with losses of $171 million and site being down for a few weeks, is recognized as the worst ever in gaming community. Leaked data contained 10 million unencrypted credit card numbers and full customer information, including purchasing history and login credentials. The hackers started to use stolen credit card details, and after that the fraud become clear.

Key practices for customer data security

Every security breach is possible to prevent, but not always to fix. Correctly implemented security software combined with understanding of your business soft spots is the recipe for reliable protection. Here are the components:

Update ecommerce software and install security patches

Before taking any extra security steps, make sure you have the latest CMS version of your platform and have all security patches installed as soon as they are released. Don’t put off the updates for later. It helps to cover common security issues of the CMS you use on time.

Secure payments and monitor them

Make sure you accept payments through verified systems that have secure transaction channels and require additional authorization. Any seller of any size must be PCI compliant to accept electronic payments, and if you work with a big payment provider, they can handle it for you. PCI DSS means “Payment Card Industry Data Security Standard” and indicates that the service provider meets the official requirements of PCI compliance. Setting limits for the payments and monitoring transaction sizes and frequency can also serve you well. You are the expert in your business and know your customer behavior. You can set the total value you accept from one account in one day and a limit for the number of purchases in a period of time. Therefore, you will notice if something is suspicious.

Add two-factor authentication

This is one of the most secure ways both for you and your customers to preserve personal information. With 2FA, thу system requires additional pieces of personal information besides login and password to give access to the user. It can be an SMS code, an answer to a secret question, or any other information a user can provide immediately. It creates significant protection against unauthorized access to user accounts.

Demand stronger passwords

Password habits are often exploited by intruders. It takes only one weak password to gain admin authority and access to the customer base, data, and revenue. A strong password consists of more than 6 characters with the use of digits and letters in different registers. Require that all your customers and employees have complex passwords.

Control access to sensitive data

Online or not, security still depends on human factors in lots of cases. Pay special attention to what kind of access your employees have to customer information and make sure they know the rules of using it. Educate them about how to detect malware, data stealing, and suspicious user activity. Deactivate accounts of employees that no longer work for you to prevent information from leaking outside the company.

Don’t store data you don’t need

Don’t collect more information about your customers than you will use. And when you do require lots of fields to be filled in, make sure you don’t store every single piece of sensitive information forever. It is better to trust the handling, storing, and processing of credit card details to PCI-compliant service providers. Keeping this data saves a few seconds of customer’s time at the checkout, but this is never worth the risk. The more information you store, the more you have to offer to intruders that may break-in. If you keep the payment details of your customers, your database is a sweet spot and it will encourage consistent attacks. Are you sure you can handle it on your own?

Educate your customers

Your customers come to you to give money to you and get a product in return, and they expect this process to be organized properly. Make sure you give clear instructions about why you require this or that data from your customers. While asking for sensitive information, ensure customers are aware that you will not store or share it, and all transactions using that information will be encrypted.

Notify your customers when their data is in danger

If a security breach happens, it should be one of the first steps to recover from it. Notify your customer in any way suitable for your platform: via email, push notifications, or SMS. The earlier people know about how they can be affected, the faster they can take steps to prevent it. If you have fraud situation instructions for your customers, provide them.

What can we learn from the mistakes of others?

Some business owners only take serious precautions after the worst has already happened. Customer security is less obvious, but an important part of customer experience, and taking your time and resources to enhance the security situation of your store will pay off. For Magento store, a convenient way to cover the security needs of an online store as a whole is Security Suite Extension. It handles fraud, malware, suspicious activity and combines features that upgrade password policy and admin supervision. Remember that measures taken should not only protect what is yours but make your store a better place to shop.