Starting Your eCommerce Business – Web Security Survival Guide

By on Mar 21, 2013

Ecommerce is shaping up to be a major part of the global retail market, with Forrester predicting that U.S. online retail sales alone will top $370 Billion by 2017. With this in mind, it’s no wonder so many people hope to take advantage of these profits by creating their own online business. Although it’s easier than ever to establish an online store, security is crucial to achieving long-term success.

Aside from the legal and cosmetic processes, new eCommerce merchants must take other needed steps to provide customers with a safe and secure site for purchasing goods. Below, we discuss six security related rules online retailers must follow in order to survive.

Backend security basics

Running a successful eCommerce business starts by ensuring that your site’s backend systems are properly secured. Especially in the beginning stages, it could only take one data breach to potentially cripple your entire business – and in some cases, your bank account. While creating a full security plan may seem daunting, some of the most important places to start are establishing a firewall and protecting web applications.

As an initial step, Firewalls are essential for stopping attackers before they can breach your network and gain access to critical information. Once that is accomplished, you must also add an extra layer of security to the web applications, or your website itself—meaning contact forms, login boxes, search queries, etc. Web application firewalls will ensure that your ecommerce environment is protected from application-level attacks like SQL injections (Structured Query Language) and cross-site scripting (XSS).

Encryption is essential

Along the lines of backend security, encrypting sensitive data as soon as it enters your site is another critical step. Whether or not you choose to enlist a third-party payment provider to process your transactions, all other customer data, like passwords and contact information, should be encrypted before being stored in your servers.

Additionally, another level of mandatory protection is SSL (Secure Socket Layer) session encryption, and should be assigned to all financial transactions. In order to achieve this, you must purchase the SSL certification service and renew it every one to two years. SSL certification is represented by web addresses beginning with “https” and ensures that payment data is encrypted at every stage of a transaction in order to keep it out of the hands of cybercriminals.

Vulnerability monitoring

While online businesses must take responsibility for the safety of their customers, they certainly don’t have to do it alone. Partnering with an outside security vendor is key to preventing breaches, as they can provide vulnerability scanning and additional services to help discover weaknesses you may have otherwise missed. Out of 300 companies surveyed, the average number of vulnerabilities found per website was thirty-five – imagine how many one without any security could have.

Justifying the additional costs can be difficult in the beginning, but failing to find and patch flaws could result in a much pricier outcome in the long run. According to iViz Security, 82% of websites surveyed had one or more critical vulnerabilities go undetected. More often than not, merchants aren’t the ones to discover mission critical issues, and even one serious security hole could result in a potentially fatal breach for a small retailer.

For example, implementing a website vulnerability scanning service like the McAfee SECURE™ service can help online businesses avoid a litany of threats by scanning daily for thousands of vulnerabilities.

Make sure you are PCI compliant

By incorporating all of the above security measures, your business will already be part of the way through achieving PCI compliance, which is a necessity for accepting electronic payments. As more and more transactions are carried out online, stricter credit card security is becoming an imperative, and compliance with the PCI Data Security Standards (PCI DSS) is the best place to start.

However, adherence to these regulations is not universal, and more often than not, small to medium sized online merchants are the culprits. Failing to comply with these regulations not only puts your business and customers at risk, but it can also lead to heavy fines and other consequences. Many security risks merchants face are not new, and it is the easy exploits—preventable through following PCI regulations—that cause the majority of issues.

Pick your payment providers wisely

If you do decide to outsource payment processing, be aware that the responsibility doesn’t stop there. Many new merchants don’t realize that protecting customer financial information and maintaining PCI compliance continues even after payment processing or other functions are taken over by a third party.

Aside from ensuring that your own business follows PCI DSS, you must also assess the compliance of all outside providers. Even if another company is handling part of or the entire environment, merchants will still be responsible in the event of a data breach. With this in mind, cover your bases by knowing where and how the vendors to which you outsource deal with cardholder data.

Always update your website

Once your site has been established and all of the above measures have been put into place, the final step is maintenance. All too often, merchants fail to keep their websites and all of the supporting software upgraded, which can have some very serious consequences. Failure to update your software could result in a malware infection that can spread to users as well as countless other sites.

Foregoing website updates is not only an issue for online merchants, 20% of Stop Badware’s Compromised Websites survey respondents also admitted to not updating their software regularly. The update process will differ depending on where your eCommerce site is hosted, but whether it’s using the latest release or an open source platform, you must ensure that everything is up to date.

There are many factors that contribute to the success of an online store, but security is absolutely essential for maintaining it. Failing to provide website security leaves your online store vulnerable to hackers, and even if some data breaches may be inevitable, most are avoidable.

Aside from the liability aspect, establishing good security practices and following all supporting regulations, will show customers that you take their safety seriously and want to provide the best eCommerce experience possible for them. Fostering consumer confidence is vital to business success and security is a great way to start building that relationship.

Visit our website for more information on McAfee SECURE services, and be sure to follow us on Twitter at @McAfee_Business for the latest in eCommerce news and events.

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs