Before the holiday cheer can arrive, online retailers must face the usual trepidation of accommodating the shopping rush, which this year is expected to bring a record surge of consumers.
Aside from all of the work that goes into ensuring the customer experience goes off with as few hitches as possible - and that the season is a success for your bottom line - you also have to deal with the prospect of cybercriminals, who eagerly await this time of year to launch attacks and commit fraud.
Our own research found that incidents affecting e-commerce environments accounted for 42 percent of the total incidents impacting the retail industry in 2015.
But there's no reason cybercrooks need to dampen the holiday spirit for you. Find solace below with our list of 14 actionable security tips that will prove valuable throughout the year - but which will come in particularly handy over the next five weeks.
1) Don't Hold on to Sensitive Data
There is no reason to store credit card numbers, expiration dates and card validation codes. However, if you need to keep information for chargebacks and recurring billing - or want to offer the convenience of one-click checkout - technologies such as tokenization and end-to-end encryption can help, while reducing your PCI DSS compliance scope in the process.
2) Ensure Your Platform Provider is Secure and PCI Compliant
If you outsource your e-commerce to a third-party provider, they must be committed to providing advanced security, including security testing and threat monitoring. At the bare minimum, request an annual proof-of-compliance from them. But keep in mind that you will still be responsible for handing certain areas of PCI DSS adherence as well.
3) Use Separate Servers for Your E-Commerce and Web Applications
Heed the principle of "one function per server" wherever possible. Additional hosting fees or the cost of launching a virtual machine to run other apps on your site besides your e-commerce functionality is trivial compared to the costs associated with a breach.
4) Avoid Privilege Creep and Bad Passwords
Limit your employees' privileges to access sensitive data, ensure their passwords are complex - passphrases are even better - and remove all orphan accounts of ex-workers and users. Help ensure your customer's safety by requiring them to also select difficult-to-crack passwords, something many e-commerce companies are still failing to do.
5) Commit to Security Testing
To beat the intruders, you need to think and act like them before they can strike. A penetration test will run tools that a hacker will run, identify vulnerabilities in your website and guide you in correcting the problems. As part of comprehensive vulnerability program, you should also incorporate scanning, as well as static and dynamic application security testing.
6) Stand up a Web Application Firewall
Web application firewalls (WAFs) provide an essential layer of protection against hacker attacks. They typically use generic rules and learning capabilities to successfully detect and block such attempts out of the box. Ensure that the WAF you choose inspects both inbound and outbound traffic and is "session aware" to help prevent user impersonation and data manipulation.
7) Patch Your Systems
Unpatched security holes provide cushy entryways for cybercriminals to enter your environment, and a rise in commercially available automated tools for discovering these vulnerabilities have made things easier than ever for the bad guys. You must maintain the latest versions of your software, plug-ins and extensions to keep the hackers at bay.
8) Protect Against DDoS Attacks
Distributed-denial-of-service attacks are becoming stronger by the quarter. Audit your firewalls to understand what traffic they are allowing in an out of your business. If you can stop unwanted or unnecessary protocols right at your perimeter, DDoS attacks will have trouble bringing down your servers. For smaller shops, talk to your internet service provider and ask them what they have in place to mitigate this threat. They may be able to provide protocol filtering capabilities or access to a DDoS mitigation service.
9) Monitor for Threats
The importance of identifying abnormal activity that may indicate a compromise is underway cannot be overstated. According to the 2016 Trustwave Global Security Report, the median time between intrusion and detection was 15 days for internally detected breaches, compared to 168 days for breaches detected and reported by external parties. Be aware of who is accessing your systems, investigate automated alerts, track all unusual activity, hunt for threats and escalate serious incidents.
10) Educate your Employees
Many of the security problems facing e-commerce merchants are so-called self-inflicted wounds, caused by insecure coding practices or simple human error. Security awareness can help offer education to your front-line employees and training for your developers so an insecure app or system doesn't go live before it should.
11) Take Measures to Prevent Fraud
Now that the EMV standard has undergone widespread deployment, including in the United States, fraudsters are shifting their focus to card-not-present environments. But don't be alarmed: There are easy-to-implement alerts, restrictions and verifications you can set up to flag suspicious transactions and help prevent fraud.
12) Secure the Connection Between Server and Client
Customers paying for goods and services now expect to see a padlock icon and "HTTPS" in the address bar to indicate they are interacting with a secure website. But keep in mind that the rules have changed around how you must accomplish this. Beginning in 2018, your web servers must be configured to use the most recent version of TLS.
13) Be Prepared to Respond
Incident response isn't just about reacting to a cyberattack or breach - it also involves consciously preparing for the inevitable intrusion, conducting triage and analysis to declare something an incident, and responding accordingly to address it and help prevent a recurrence.
14) Get on Board with PCI DSS 3.2
This list has referenced the PCI Data Security Standard, which has evolved into a mature rulebook for protecting sensitive cardholder data. If you aren't already familiar with the latest version, 3.2, you should start - as that is the version you will be assessed against going forward. Our experts prepared a comprehensive webinar that discusses all you need to know about 3.2.
Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor. Trustwave Senior Enterprise Engineer Don Brooks contributed to this blog post.
