If you have an e-Commerce site you are in crosshairs of hackers. Why? Because you are the goose with the golden eggs they covet most. You handle customer credit card and personal information that they want to steal and exploit.
They usually do it by either intercepting the messaging between you customer's browser and your web site or hacking into your network to infect your web pages with malware. In some cases they break into databases to get customer data.
You can be held liable for what happens to your customer's data, but the damage to your reputation with your customers can be worse than the direct financial loss. Infected pages not only harm the customer but take longer to load. According to the Aberdeen Group, 57% of users abandon a site if a page load exceeds 3 seconds and 8 of 10 will not return to an e-Commerce site after a bad experience.
You need to place a high priority on securing the site and protecting your customers if you want to protect your business. Here are 6 essential steps to take that are too often neglected.
- Use Enhance Verification SSL: Consumers are increasingly looking for assurances that a merchant is trustworthy. EV SSL sends exactly that message. Every site that exchanges financial or personal information requires using the Secured Socket Layer, enabled by SSL certificates. They provide a secured, encrypted connection between your visitors and your site. However, not all certificates provide the same level of assurance to your customers. On one end of the scale are Domain Name certificates that simply verify that you are the owner of the domain name for which you requested. The highest level of assurance is provided by Enhanced Verification (EV) certificates where you are verified as an ongoing and trustworthy organization. EV certificates cost more, as you would expect, but they are well worth. Consumers are increasingly aware of the risks of online transaction and EV tells the customer that you can be trusted.
- Use PCI and Vulnerability Scanning Services: You need to proactively identify and address security issue before they damage your business. Many site operators assume that SSL is all they need to secure their web site. SSL provides a critical level of protection, securing the communication between your server and the site visitor's browser. It does not, however, prevent network breaches and infection of your web pages with malware and malicious scripts. Unfortunately, for performance reasons web hosts do not do the type of malware scanning that you do on workstations and network servers. It would disrupt accessibility to your site. It's up to you to protect your site in the event of a breach. PCI and vulnerability scanning services will scan your web site on regularly basis to identify issues that would cause you to be non-compliant with Payment Card Industry security requirements and other issues that threaten your customers. PCI and vulnerability scanning are often bundled together, but have different objectives. PCI Scanning, such as Comodo's HackerGuardian, are designed to make it easy for you to meet your quarterly PCI compliance reporting requirements. Failure to do so can result in large fines and even suspension of your ability to take credit cards. Vulnerability scanning, such as provided by Comodo's Web Inspector, identifies issues such as infected web pages that would download malware to your customers. Web Inspector also monitors blacklist site that report malicious and compromised sites. Search engines such as Google will block such sites from being returned in searches. If consumers can't reach your site it is effectively down.
- Call in the White Hats! Use penetration testing to stay ahead of the bad guys: If you operate your web site from your own network, your site is only as secure as your network. In the world of network security we sometimes call those who hack into computer networks with nefarious motives as "Blackhat Hackers". When an organization wants, nay needs to go the extra mile to ensure they are safe from the Blackhats, they can call in the White Hats for Network Penetration Testing. Network Penetration Testing, aka pentesting, includes the same activities of the Blackhat Hackers, except they are conducted by "good guys" as a service. They test networks and websites by manually simulating a hacker attack to see if there are security holes that could compromise sensitive data. White Hat testers identify critical attack paths in a network's infrastructure and provide advice on eliminating these threats. They attempt to bypass security weaknesses to determine exactly how and where the infrastructure can be compromised. They utilize advanced hacking and social engineering techniques and the latest tools. If vulnerability exists in your network, the bad guys will eventually find and the consequences for your customers and your reputation can be severe. Better that the White Hats find the issue first!
- Use multi-factor authentication: When the web was first introduced for commercial purposes in 1994, it seemed that authenticating users with a user id and password was good enough. Not so much today. Despite enhancements to SSL and advancements in network security, hackers have demonstrated the ability to intercept user ids and passwords. There are two common techniques. First, the "man in the middle" attack where the hacker inserts a process in between the browser and web server and capturing the communication between the two. If the web server is using Enhanced SSL the web use should be alerted that there is a problem, but that assumes the web user is paying attention. Second, if a hacker can infect a web site with malware it may be able to download a key logger and sniffer programs to the user's computer. The hacker can then monitor where the user goes on the internet and capture their credentials when they login to password protected sites. Even if you have protected your network as discussed above, the visitor could have been infected from another web site. You may have noticed, but financial institutions like your bank or brokerage firm don't rely solely on a user id and password. If you change the computer you normally login from, they add an extra level of authentication to make sure it is really you. This is called "Multi Factor Authentication", sometimes known as 2 Factor Authentication. For example, my bank will send me an authentication code to an email address or telephone number that they already have on file. I can use that number with my password to login. Unless the hacker also has access to my email or cellphone, I am the only one that it could be trying to gain access.
- Trust seals matter. Use them: Trust seals will increase your conversion rates and repeat customers Trust seals are images issued by a 3rd party that attest that your site has met a set of standards and criteria that make you trustworthy. Studies show that consumers are more likely to purchase from sites where they see such seals. They will increase your conversion rates and repeat customers For example, the Web Trust seal on the site of a Certificate Authiority that issues SSL certificates attests that they meet the highest standards and operate with the best practices for a Certificate Authority. If you use Enhanced Verification (EV) SSL you the issue authorizes you to display their trust sea to tell your site visitors that they can feel safe doing business with you. A surprising number of sites have invested in EV SSL, but do not prominently display their seal. Today, with all of the concerns about safety and security when online, consumers need all the assurances you can give them.
- Use a Managed DNS: Using a managed DNS service can improve your network and web site performance and provide additional security. When you communicate on the internet, domain names that are easily understood by humans must be translated into related IP addresses that identify each computer on the internet. The translation is done by a Domain Name Server (DNS), usually provided by the Internet Service Provider or setup by the company itself. If you use the DNS of your service provider you have no control and your performance can be erratic. If you create your own DNS, you cannot setup it up a web site on a shared server and the security is only as good as your network. It also has to running 24/7 for your site to be accessible 24/7. A much better idea is to sign up with a managed DNS service to host your DNS. These are companies that have established their own network of DNS servers and add features to improve performance, security and protections. DNS performance can be very important in how fast a web page loads. For example, DNS.com offers additional features that you do not get from your ISP:
- Security: Protection against malware, Denial of Service Attacks (DOS), phish blocking, blacklist prevention, etc
- content filtering
- 100% uptime SLAs
- Web interfaces for managing DNS and DNS records