You can think of online security for a retail website in a similar way as conventional security in a physical shop. The aim is the same – keeping products, people and data safe – a company just has to employ different methods to achieve the same result when talking about an online shop. The security of personal data is arguably the most important aspect of any online business, none more so than an e-commerce business, with any breach causing both financial and reputational damage. Trust plays a large part for the consumer when deciding where to spend money online, so any sort of data breach can have a hugely detrimental effect on future customer numbers and therefore profits.
E-commerce is one of the fastest growing retail areas with more and more people using the internet to make purchases and an increasing amount of money being transferred on online payment, there has never been as much interest in online retail as there is now. This interest is not just for consumers and retailers, it also draws the attention of opportunists and others with illegitimate intentions. As the use and value of e-commerce has risen so has the number of attacks against these websites, indeed it is safe to assume that the vast majority of ‘big-name’ online retailers are being targeted every day.
With the prevalence of hacking and the fact it is becoming both more advanced and more accessible all the time, it is vital that the security being used stays up to date and wards off these attempted breaches. The world of cyber security is one that is ever evolving and adopting new methods to protect IT systems and websites from malicious behaviour, although the responsibility of data comes down to each individual business. So what steps can businesses take to give them a head start on protecting their data and what other services are available to online retailers to keep their security processes up to date?
The Payment Card Industry Data Security Standards, or PCI-DSS, are the agreed security standards for all companies and organisations that handle credit or debit card transactions from the major card brands (Visa, Mastercard and American Express in the UK). Compliance of PCI-DSS is seen as a compulsory measure, even though there is no legal obligation to work to it. This is mainly due to Visa and Mastercard requiring validation and fining companies that suffer breaches due to non-compliance.
PCI-DSS is broken down into six groups, or ‘control objectives’, with twelve high-level requirements overall that have not changed since its inception in 2004. The current objectives and requirements are as follows:
|Control objectives||PCI DSS requirements|
|Build and maintain a secure network||1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect cardholder data||3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a vulnerability management program||5. Protect all systems against malware and regularly update anti-virus software or programs|
|6. Develop and maintain secure systems and applications|
|Implement strong access control measures||7. Restrict access to cardholder data by business need to know|
|8. Identify and authenticate access to system components|
|9. Restrict physical access to cardholder data|
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain an information security policy||12. Maintain a policy that addresses information security|
These twelve requirements lay the foundations for a high-quality security procedure and if followed provide a safety blanket in terms of avoiding fines for security breaches. It is important to note though that PCI-DSS compliance is not the only piece of the puzzle that is e-commerce cyber security. Compliance is the first step in building trust with consumers and building barriers against any potential attack, although it is not something that will keep you completely safe – for that you must employ other measures.
Testing and Improvements
Requirement 11 of the PCI-DSS is to regularly test security systems and processes, this is a requirement that can be extended out and used to ensure that all your security processes and procedures are up to date and strong enough to counter an attack. Employing the services of a penetration tester, sometimes known as an ethical hacker, is one of the more popular methods of checking security systems. These services are known as ethical hacking as they carry out an attack on your computer systems and IT infrastructure in a manner that emulates a real attack, the difference being that their actions have been authorised and there are legal agreements regarding the safety of the data.
Through carrying out a penetration test a company is able to check that their security is strong enough to withstand an attack as well as providing clear information on what needs improving or changing. There are a number of cyber security companies that provide these services along with other preventative security measures that go above and beyond the PCI-DSS requirements. It is always advisable to keep up to date with new methods being used and seek advice from specialists as they know the methods being used by hackers and how to protect against them.
With the recent growth of e-commerce the threat levels against these companies has also increased. Following the industry guidelines should be seen as the bare minimum in any companies cyber security processes, whilst actively engaging in other security measures that go above and beyond the guidelines. The loss of data is a major issue facing online retailers and a major breach could have devastating consequences both financially and reputation wise, it is therefore important to stay one step ahead of the hackers and avoid becoming the next news story.
About the Author
Mike James is an independent content writer working in the technology industry – working together this time with Redscan cyberthreat prevention specialists – who were consulted over the information contained in this piece.