Managing an e-commerce website involves being in charge of aspects that go far beyond logistics, one of them is security, which is something to pay attention to, as every year there is a significant increase in online fraud and crime. ACI WorldWide, an organization that boosts digital payment solutions worldwide, reports that during 2020 the rate of fraud attempts was 5.3% a significant increase considering that in 2019 was 3.7%.
Knowing this, some security recommendations we can follow are:
1. Use headless e-commerce to divide the architecture of applications
It is common for monolithic solutions to be chosen when developing e-commerce, in other words, a single software manages the entire application (product database, customer transactions, etc.). One of the problems with this type of application is that system failure on some of the services affects the entire system. On the other hand, headless e-commerce is a solution that allows you to separate the delivery from the content and transform it into an API, in such a way that the front end, that is, the visual part of the application, is built independently with any other technology and is left to the choice of those in charge of the development of the store.
Headless e-commerce has several security advantages since the APIs usually exposed are read-only, in addition, when presenting a content structure separated by multiple endpoints, one adjustment of the components does not affect the entire web but only affects the specific component.
2. Implement the PCI standard and use an external payment provider
The PCI-DSS (Payment Application Data Security Standard) is a series of technical recommendations that the organization promotes to keep online payments secure. In their guides, they make some recommendations, such as storing as little data as possible about the credit cardholder.
In addition to this, a good practice would be to delegate the payment system to a third-party service to process all this information rather than from the same application, thus avoiding having sensitive data in the databases.
3. Monitor suspicious transactions
Having fraudulent transactions causes huge monetary losses, these behaviors are usually of various types and for this reason we must always review unusual patterns that give us an indication to avoid fraud in the future. There are actions that we can characterize as suspicious activities, such as:
• More than one payment method with different credentials is used from the same IP address.
• Many orders for the same item by a new customer.
• Orders that are shipped to the same address but with different payment methods may indicate theft of credentials.
There are many modules or software extensions that can be integrated with the most popular platforms like Shopify or WooCommerce that detect these behaviors automatically by providing a score that warns you of potential suspicious behavior.
4. Do technical security web tests
One of the attack vectors by hackers is usually to breach the security of the website itself, this is achieved by finding and finding feature flaws that have been developed without security standards, so it is the computer's responsibility to write a secure code to avoid the most common security threats:
• SQLInjections: This is a vulnerability in applications that allows you to run queries within your database, so you can easily access sensitive data.
• Cross-Site Scripting (XSS): It is an error that occurs when there is no validation of the input fields, allowing you to enter special characters, this can be used to enter a malicious code that executes instructions for data theft, for example, in an e-commerce could be used to make redirects to fake pages that subsequently capture payment media information. To mitigate this, the development team can initially be guided by an online vulnerability scanner such as Pentest-Tools.com or use a framework such as OWASP where resources, and tools are found to make security audits to applications.
5. Protect website authentication and passwords
Many computer crimes are based on trying to access a management panel or scale privileges, which is why there are several recommendations such as:
• Brute Force Avoidance System: Brute force attacks are those where the theft tries to access the admin panel by testing thousands of passwords in a few minutes and automatically all through a dictionary. There are many extensions or plugins on the market that can be integrated into existing e-commerce systems, but in some cases, this system will need to be programmed from scratch, so it is important to do things like block failed login attempts from the same IP address or limit the number of attempts, for example, let the customer have three attempts and then block the user for 24 hours.
• 2-Step Authentication (2FA): Instead of allowing app users to sign in with email and password only, you can also integrate an authentication system that requests additional code that is generated through an external application and has a limited duration of time. This will certainly make it difficult for criminals to access a user's account.
6. Always include an SSL certificate
The SSL standard is a very widespread security protocol today, basically allows you to encrypt the online transactions that users make on a website, and in this way, protect the data that passes through.
Users are looking for maximum confidence when entering an e-commerce website, so having a security certificate will give them sufficient reasons to continue shopping on their website.
Unlike a traditional website, e-commerce sites manage user data and money, so having a high fraud rate and not taking care of the application security will cause your users to constantly mistrust buying on the site, therefore, losing credibility quickly.
Following standards like PCI-DSS is a good way to get started, but you can also choose to use new technologies that already implement many security options, such as e-commerce headless, which is now becoming a trend.