15 ways to protect your business's e-commerce site from hacking and fraud
Use tracking numbers for all orders
“To combat chargeback fraud, have tracking numbers for every order you send out,” advises Jon West, CEO, AddShoppers, a social commerce platform for retailers. “This is especially important for retailers who drop ship.”
Monitor your site regularly—and make sure whoever is hosting it is, too
“Always have a real-time analytics tool,” says Punit Shah, director of Marketing at online jeweler My Trio Rings. “It’s the real-world equivalent of installing security cameras in your shop. Tools like Woopra or Clicky allow you to observe how visitors are navigating and interacting with your website in real time, allowing you to detect fraudulent or suspicious behavior,” he says.
“With tools like these we even receive alerts on our phones when there is suspicious activity, allowing us to act quickly and prevent suspicious behavior from causing harm," says Shah.
Also, make sure whoever is hosting your e-commerce site “regularly monitors their servers for malware, viruses, and other harmful software,” says Ian Rogers, SEO and Web developer, Mvestor Media, an SEO and website design company. “Ask your current or potential Web host if they have a plan that includes at least daily scanning, detection and removal of malware and viruses on the website.”
Perform regular PCI scans
“Perform regular quarterly PCI scans through services like Trustwave to lessen the risk that your e-commerce platform is vulnerable to hacking attempts,” advises West.
“If you’re using third-party downloaded software like Magento or PrestaShop, stay on top of new versions with security enhancements,” he says. “A few hours of development time today can potentially save your entire business in the future.”
Patch your systems
“Patch everything immediately—literally the day they release a new version,” says Kyle Adams, chief software architect for Junos WebApp Secure at Juniper Networks. “That includes the Web server itself, as well as other third-party code like Java, Python, Perl, WordPress and Joomla, which are favorite targets for attackers.”
“Breached sites are constantly found running a three-year-old version of PHP or ColdFusion from 2007,” says Pogue. So it’s critical you install patches on all software: “Your Web apps, Xcart, OSCommerce, ZenCart and any of the others all need to be patched regularly.”
“With DDoS [Distributed Denial of Service] attacks increasing in frequency, sophistication and range of targets, e-commerce sites should turn to cloud-based DDoS protection and managed DNS services to provide transactional capacity to handle proactive mitigation and eliminate the need for significant investments in equipment, infrastructure and expertise,” says Sean Leach, vice president of Technology, Verisign.
“The cloud approach will help [e-commerce businesses] trim operational costs while hardening their defenses to thwart even the largest and most complex attacks,” he argues. “In addition, a managed, cloud-based DNS hosting service can help deliver 100 percent DNS resolution, improving the availability of Internet-based systems that support online transactions and communications.”
Consider a fraud-management service
“Fraud does happen. And for merchants, the best resolution is to make sure you are not holding the bag when it does,” says Bob Egner, vice president of Product Management at EPiServer, a .NET content management and e-commerce product company.
“Most credit card companies offer fraud management and chargeback management services. This is a practical approach to take because most security experts know there is no such thing as 100 percent safe.”
Make sure you or whoever is hosting your site backs it up—and has a disaster recovery plan.
“Results from a recent study by Carbonite revealed businesses have big gaps in their data backup plans—putting them at risk for losing valuable information in the instance of power outage, hard drive failure or even a virus,” says David Friend, CEO of Carbonite.
So to make sure your site is properly protected, back it up regularly—or make sure your hosting service is doing so.