E-Commerce Security Strategies | Plante Moran
Navigate Up
Sign In

Brace Your Online Business; E-Commerce Security Strategies Under the Microscope

By Christian Perry for PC Today

The Internet stands tall as the ultimate shopping source in terms of selection, convenience, and around-the-clock service. Unfortunately, it also serves as a prime breeding ground for thieves who seek to exploit security flaws in e-commerce sites and pilfer money and information from customers. Although experts widely agree that online shopping is generally safe from a security standpoint, a simple perusal through current news headlines inevitably points to the latest online scam or intrusion that left consumer data and money at risk.

People who purchase goods and services on Web sites and other online entities must trust that the online business has performed due diligence with its security. For e-commerce companies, this means that their online storefront not only must provide ample security to protect transactions from beginning to end; it also must deliver the perception to customers that their transactions are indeed secure. After all, the increasingly bright spotlight on online theft and fraud will send customers scrambling to a competitor if they sense even a hint of insecurity.

Danger Ahead

Due to the potential for massive financial gains, attacks against e-commerce sites easily rank among the most sophisticated IT-related threats today. Spanning the range from malware code injection to keyloggers to cross-site-scripting, these attacks are relentless in their quest to steal information yet stealthy enough to evade detection by consumers and businesses alike. Of course, tried-and-true phishing also remains a constant presence in the online sphere and can impact e-commerce sites on a major scale.

“Consider the recent Epsilon breach, where millions of customer email addresses for several prominent companies were obtained by hackers,” says Joe Oleksak, manager and head of Chicago’s security assurance and consulting practice for Plante & Moran. “While this may not sound like a problem, several hacking techniques, [including] spear-phishing and social engineering, require this type of information to be more effective. I anticipate a rise in attacks on customers where these hackers pretend to be the company and send very convincing emails to each customer, asking them to provide sensitive information.”

Most e-commerce sites leave security details to their hosting company or IT staff and assume that party is effectively handling requirements around consumer privacy, integrity, authentication, and authorization, adds Rob Marano, chief executive officer of InDorse Technologies. But while there are plenty of security technologies and strategies that can help protect e-commerce applications, it still takes only one lapse to cause massive losses to a business in terms of expenses, lost revenue, and reputation, he says.

Know The Details

To a customer, the security controls behind an online transaction are relatively transparent. But these controls shouldn’t be transparent to businesses that put them in place, Oleksak explains. For the business, securing e-commerce should extend far beyond the well-known concepts of secure Web connections and SSL (Secure Sockets Layer) certificates.

“The responsibility for data security becomes the onus of the business at the point of data entry,” Oleksak says. “Data entry begins with the valid username and password and continues with the gathering of transactional data including order information, credit card data, Social Security number, etc. Data entry occurs on the Web-facing server, which utilizes HTTPS (including a valid SSL certificate) to secure this initial transaction phase.”

Once the consumer enters data on the Webfacing server, it typically travels to backend applications and database servers, where the data is processed or stored. According to Oleksak, it’s at this phase where many businesses discontinue the use of SSL because of its negative impact on system performance (due to encryption and decryption of transactions) and the associated costs. Unfortunately, hackers count on SSL’s absence here, so Oleksak recommends that businesses either support end-to-end encryption over a secure channel (such as HTTPS and SSL), or—at a minimum— ensure that all sensitive data is transmitted end to end in a fashion that keeps the data’s confidentiality and integrity (for example, through the use of HTTPS and tokenization).

“For any online business that takes personal details or credit card information over the Internet, it is vital to have SSL certificates in place on their Web sites, as this will create a secure shopping environment for the consumer,” says Ryan White, product marketing, SSL for Symantec. “Sometimes it may not be apparent to the end user that the Web site is secure, so additional cues such as well-recognized trust marks and the green address bar provided by Extended Validation SSL are great outward-facing indicators that let consumers know that the Web site they are on is safe to transact with.”

Security Surety

Along with the core security pieces of HTTPS, SSL, and tokens, there are other methods that can boost e-commerce security. Oleksak notes there are several ways in which browsers can be fooled into accepting unexpected data, but client-side filters can help to ensure that only authorized data makes it through to the browser. These filters, which are controls built into customers’ browsers, can be used in conjunction with server-side controls to handle business logic validation, he says, and doing so enhances the processing speed of Web applications without sacrificing system security.

Other must-have controls, Oleksak says, include a firewall, Web application firewall, intrusion detection and prevention systems (that is, IDS and IPS), and effective monitoring procedures for firewall and system event logs. He also recommends avoiding the use of cookies or storing sensitive information in them, as well as using address verification and other security validation procedures offered by credit card processors. Of course, it’s also vital to secure the customer
data that’s captured.

“The critical entity behind any e-commerce application is the data that is captured about the customer and/or transactions, which [is] stored as files in the application. To guarantee that transaction records and a customer’s information are fully protected, IT security strategy must incorporate file protection that includes specific security policies and restrictions to prevent unauthorized access [including viewing, editing, and sharing] of those files,” Marano says.

Through the use of file protection solutions, businesses can obtain file usage statistics on where a file is used, when it is opened, and possibly even by whom, which all can assure the recipient is correct and expose unauthorized access, Marano says. He illustrates the example of a New York-based customer who receives a receipt electronically, but the online merchant is notified it was also opened in China. With file protection technology, a merchant can track and determine where receipts are being read and “kill” them remotely, if necessary, to thwart the theft of sensitive customer data.

Oleksak says there are also several cosmeticrelated steps businesses can take to enhance the online buying experience of customers and business partners. The most important step is using a professionally designed Web site that helps to add credibility to the company’s presence, he says, but it’s also crucial to add verbiage such as “Sign in using our secure server,” rather than simply “Sign in.” He also recommends displaying a secure seal near the application’s sign-in function and highlighting compliance with PCI (Payment Card Industry) standards (for example, “We are PCI compliant.”).

Finally, keep in mind that today’s e-commerce ecosystem is far different from that of years past. Whereas businesses once built their e-commerce security strategies around a business URL, the typical online presence (for both business and customers) now includes a host of social destinations, such as Twitter, Facebook, LinkedIn, YouTube, and others, Oleksak says. Along with the increasingly mobile habits of customers, these changes should prompt businesses to consider all the possible commerce angles when developing their security strategy.

Boost Your E-Commerce Security

If you fear your e-commerce presence isn’t quite as secure as it should be, rest assured there are several methods for quickly boosting your security. Symantec’s Ryan White provides the following tips to put your security in high(er) gear.

  • Use EV (Extended Validation) SSL. This is the latest advancement in SSL technology and provides enhanced visual cues, such as the green address bar and information about the business entity that owns and operates the Web site.
  • Use trust marks. A highly recognized trust mark on the Web is the VeriSign seal, available at no charge to any VeriSign SSL customer. The VeriSign seal is a trust mark that provides a great outward expression to the consumer that the Web site is authentic and that your Web site should be viewed as trusted.
  • Stay up-to-date. Always apply the latest security patches and updates for your operating system and server software.
  • Inform. Compile a comprehensive security and privacy page to help communicate what you do to protect users’ information. This should make them feel more secure about transacting with the Web site.
  • Educate. Teach your Web site visitors how to stay safe online and explain what you do to protect them. Hopefully, the end users remember this and thank you down the road with increased wallet share.
  • Contain. Limit administrative rights to the servers to trusted personnel.
  • Lock it down. Always use strong passwords (complex numbers and symbols) and change them regularly. And whenever available, look into strong authentication options (also known as strong or twofactor authentication).

Copyright 2011 Sandhills Publishing Company

Contact Us

Joseph Oleksak