10 Tips for Safer eCommerce

December 12, 2010


Do you have an online store? If you have one, or are thinking about creating one, follow these tips to ensure you and your customers stay safe.

Do you have an online store? If you have one, or are thinking about creating one, follow these tips to ensure you and your customers stay safe.

1. Use a Dedicated Server

Most shared hosting environments are just fine for a personal blog or brochure website, but if you’re doing eCommerce, get a dedicated server. The difference is, with a shared environment, there are probably hundreds of websites on the same physical machine as yours. In a fully dedicated environment, it’s all yours. Many providers will use a term like “dedicated virtual”. This means that you’re still sharing the machine with others. You want a “fully dedicated” server. Virtualization (the ability to run many virtual machines on one physical machine) is very popular today, and is much safer than shared hosting was a few years ago. However, be safe. Spend the extra money to provide an additional layer of security.

What to look for

Here are some important things you’ll want to be sure your dedicated server has:

  • Firewall:¨Talk through this with your developers and hosting consultant to see what’s the best fit.
  • Backup System:Find out how, where and when your stuff is being backed up, and how you can restore it.
  • Fail Over: What happens when your hard drive, power supply, etc. on your server fail? How quickly will your store be back up and online after a failure? Who’s responsible for acting when this happens?

  • Support: Who can you call if your site is down? Who is in charge of ensuring the website runs optimally?

Recommendations

Rackspace
Expensive, but rock solid solutions, incredible support

Soft Layer (previously The Planet)
Great value, great support for the money

2. Use a Trusted eCommerce Solution

There are tons of open source eCommerce solutions out there that cost little to nothing. But remember that you pretty much get what you pay for.

What to look for

Last year, I spent a chunk of hours going through open source (PHP) shopping carts. The license fees ranged from zero to thousands of dollars. Many had the same features, but the ones that had a relatively higher license cost had distinguishing characteristics. Among them were:

  • A dedicated team of developers
  • Steady releases of new versions, features, updates, and patches
  • An active community (that is listened to!)
  • A robust support system / knowledge base
  • User guides / tutorials

When shopping for a solution, ask yourself questions like:

  • Does this solution offer the payment options I need?
  • Can I fulfill my products using the providers I need to use?
  • Does this support my quantity and type of products?
  • Is the order life cycle (from purchase to fulfillment) what I need?
  • How much can the workflow be customized?
  • How much can the aesthetics be customized?
  • Does this solution follow applicable regulations?
  • What are others saying about this solution?
  • Are others like me using this solution successfully?
  • Can I readily find developers to work with this solution?
  • Is this solution going to be around in a year, two years, five years?

Recommendations

Interspire Shopping Cart
Great feature set, moderately priced, customizable

Magento
Great feature set, moderately priced, customizable

Big Cartel
Great for smaller stores, quick setup, customizable

Sometimes (but not typically) a custom-built solution is what you need. Talk through this option with a team of developers you can trust and who understand your objectives.

Don’t pinch pennies here either, and don’t make an impetuous decision. Spend the money if the solution gives you what you’re looking for. It’ll save you all that money and more down the road.

3. Use SSL

This is a no brainer, but should be on any list regarding security and cannot be overstated. In short, SSL (“Secure Sockets Layer”) enables encryption of information that is transmitted between the server and your computer. This means that when you submit a payment page that contains your credit card information, that it isn’t sent over the web where it can be read by others. Take for example the person sitting at the coffee shop ordering a book online. If the information they send is not encrypted, that data is going through the coffee shop’s network, through multiple hubs and hops until it reaches the store’s server. At any point along the way there will be varying levels of vulnerability where this information could be captured. However, if the information is properly encrypted, the data captured is practically useless to anyone who gets their hands on it.

4. Control Access to Information

Think about and plan for all the types of users that will be accessing your customer’s information. A customer service role may need access to credit card information (say, to do a refund), but a shipping role would not. Be sure that the software solution you choose offers multiple user roles, and that you can constrain certain roles to certain areas of the store’s back-end.

There are additional considerations on this point as you evaluate your level of PCI Compliance (see item #5). For example, if certain types of personal information is being accessed, you must have individual user accounts for those that access the information, logging on their actions, have it password protected, etc. Be sure your solution can accommodate this if applicable.

5. Know and Follow Compliancy Regulations

At the end of the day, it is your responsibility to know that your website is following proper regulations - not your developers. If there is a security breach and your customer's information is compromised, it isn't the developer who gets the lawsuit, it is the website owner. Know and ensure that your website complies, where necessary, to:

PCI
Relates to the use and storage of credit card information

Section 508
Relates to the accessibility of a website

COPPA
Relates to interaction on your website with minors

6. Pass the Buck

Compliance regulations like PCI varies depending on the amount of information you’re storing. To reduce the risk of data being compromised, don’t retain information that you don’t need or are not properly setup to handle. For example, don’t store credit card information if you don’t have to. And don’t think by not storing it that you’re somehow offering a bad service to your customers. Once you process the credit card, discard the information. You could still retain the last four digits for reference, but you no longer have a need for the full number. In this scenario, be sure the payment merchant you’re using offers a virtual terminal, and you can issue voids and refunds through this tool.

In scenarios like this, let trusted payment merchants like PayPal store the credit card information. There are plenty of ways to offer a great experience while retaining little of a customer’s sensitive information, by giving your solution some forethought and putting the right pieces in place.

7. Let Your Customers Pass the Buck

Just like you want to pass the buck when it comes to handling and storing certain sensitive information, allow your users to do the same. PayPal and Google Checkout are both well respected and established payment solutions. With solutions like PayPal Web Payments Pro, you can integrate PayPal as a gateway and do the credit card transaction right there on your site, while also giving the user the option to be routed to PayPal to login and pay with their PayPal account. This option will let customers sidestep providing their credit card information to yet another website.

This does raise a question regarding perception. Sometimes it just looks plain cheap if you’re routed to PayPal to pay for your order, then sent back to the site. Sometimes this process fits and is perfectly acceptable. Sometimes the best solution would be to offer both an “embedded” credit card processing option as well as the option where the user is linked out to PayPal to pay, then routed back to the site. The right solution should be discussed with developers and folks that understand usability.

8. Trust Your Developers

Unless you have developers you can trust, don't start an eCommerce project. Not only will they have access to your customer's personal information, you want team members, not just coders. For goodness sake, don't outsource this to the lowest bidder overseas. The code that operates your online store is the most important and sensitive part of the whole project. Don't let just anybody build it for you.

And notice this point is plural. It's always a good idea for there to be multiple developers on a project. Just moving from one to two brings a ton of accountability and reduces project fatigue.

9. Challenge Your Developers

One way you know you have a good team of developers is if they can be challenged without becoming defensive. This creates a sense of accountability between the technical and non-technical team members. If your developer can explain, in laymen's terms, all the reasons your customer's information is safe within the application they built, then you've got a good developer (assuming they gave you good answers!).

Oh, one more important thing for this one. Don't be a jerk or act like you even know what you're talking about. Most technical folks are more than happy to explain technical concepts all the way down to the difference between a bit and a byte, if you approach the conversation properly. If you come across as arrogant or condescending, your developers will likely retreat into the world of technicalia and you'll be looking for a translator.

10. Use Proper Coding Procedures

There could be a hundred more points to this list that would all fall under proper coding procedures. Here’s an umbrella point that could make all the difference in the world in the overall security of your online store. For example, if you make the decision to go ahead and store credit card information, you could potentially never have a breach issue if your code is air tight when it comes to security. (That’s not a recommendation to risk it!) This is another area where having a trusted team of developers is a necessity. Some major items that should be a consideration in any web application are:

  • Don’t trust user input
  • Are queries being properly handled / escaped?
  • Are file permissions set properly?
  • Are any installation files still present?
  • Are sensitive files / folders being crawled by search engines?
  • Are login credentials strong?
  • Do database users have appropriate permissions?
  • Are your developers acting paranoid?

A full list of proper coding practices is much, much longer than this. These are types of questions that you should ask yourself and your developers.

In Conclusion

Remember that no checklist or guideline set is a replacement for an experienced team of developers. However, the more knowledge that you have going into an eCommerce project, the more you will be able to properly ensure that both you and your customers stay safe. If you have any questions about eCommerce, please comment below or get in touch with us. We’ve done this a bazillion times.




Comments have been disabled for this entry.