Essentials of Ecommerce Security
As you set about doing business on the Web, you’re going to encounter three specific types of people:
• Those who want to buy from you
• Those who want to steal from you
• Those who want to steal from those who buy from you
The paradox that every website owner faces is that you want to welcome the first type of person with open arms, but the others you’ll want to try to shut out. In a traditional offline store, it’s usually easy to sense where trouble is going to come from. Doing business online, however, means you lose that all important intuition.
Security must always be your highest priority if you are selling online through your own website. It is also the case that you can’t work out your online security by trial-and-error. You have to get it right the first time, because recovering from mistakes is difficult for big business, and virtually impossible for a small business. If you do manage to screw up on security and it gets known about, expect to have to rebuild your business and your reputation from scratch. In the rest of this article, we’ll give you some pointers on how to avoid that fate.
1. Don’t store more information than you actually need to
Many websites have complicated forms to be filled in before a customer can make even the most basic of purchases. Often these forms are requesting all kinds of information that is not relevant to the sale. This is usually the fault of the marketing department trying to obtain superfluous demographic or CRM information. The problem is that pre-sale is not usually the correct place to be requesting that kind of data.
Legally you have a responsibility to protect the data that you store about your customers. There’s even certain types of data that you’re not legally permitted to store (CVS numbers, for example). Even so, many websites do store that information that they are not supposed to be storing.
It’s much better for you not to do that. In the pre-sale phase, you can actually lose customers by asking for too much information. They will go some place where purchasing is simpler and where they don’t feel like they’re facing the Grand Inquisition.
People are becoming more concerned about the information they share online, so your goal should be always to collect the minimum amount of information possible, as that helps to build trust. If you’re using PayPal or a similar service to process your payments, you probably don’t have to collect any information from your customer, because PayPal supplies you with everything you need to know to complete the order.
The more information you store, the more there is potentially available for somebody to steal and exploit. If their theft is discovered and traced back to you, there will be a lot more problems arising out of that later on.
2. If you’re collecting sensitive information, you need SSL
Ideally every site should have SSL by default, but unfortunately it’s quite a hassle to get SSL sorted out, and there are even major internet companies that get it wrong (for their sake, we’re not going to name them).
SSL gives you encryption that makes it more difficult (but not impossible) for somebody to hijack or otherwise interfere with the transaction. It also to some extent protects the information that is relayed.
The most important feature of SSL—maybe even more important than the encryption—is that it positively identifies your site. Even this isn’t perfect, but it’s better than nothing at all.
3. Make a conscious decision about whether you’re processing your own transactions
Processing transactions in-house can save you a little money on each one. If you make low volume high value transactions, the savings could be significant. PayPal at their worst, for example, will charge you at least 4.5% of the value of a transaction (the amount reduces with higher transaction volumes).
Still, there are a lot of advantages to using external payment systems like PayPal, Skrill, and WorldPay. The primary advantage is that you’re no longer directly collecting financial information from your customer, and ideally not collecting any information at all. This means all the onus for PCI compliance and consumer data protection falls on the shoulders of the payment service and not on your shoulders. For the SME, this is a huge burden lifted, seriously reduces your potential liability, and simplifies the flow of your transactions.
On the other hand, there have been horror stories for some merchants. The main culprit when it comes to meddling in other people’s business is PayPal. Taking their duty to protect the world from money laundering extremely seriously, PayPal will freeze an account at the slightest hint that there’s anything odd going on, and getting the freeze lifted can be quite a hassle.
A big part of the PayPal problem is that it is quite difficult to contact them. Another infuriating thing that is not entirely limited to PayPal alone is the over-zealous hand holding, where they try to protect you way too much and without your request for them to do so. This means if you attempt to log in to your account from a device that PayPal doesn’t recognize, or if you have made the foolish mistake of registering a cell phone number with them, you can lock yourself out of your account merely by traveling to another country or changing your phone service. In a world where business is becoming increasingly global and people travel internationally much more often, this is unacceptable.
That problem can affect other things your business relies on too. Facebook, Twitter, Yahoo, GMail, and scores of other services can all make really big headaches for you when you travel outside your usual area and don’t have global roaming enabled on your phone. Logging in from an unfamiliar device (or a familiar device with an unfamiliar SIM card) from a location outside your home country can really screw things up for you, but at least none of those services has direct control over your cash flow. Payment services do, so if they block you, the consequences are more serious.
The greatest reason to let somebody else handle the transactions for you? Customers are notorious for not filling in forms correctly. When you’re unable to ship their product because of this, they will blame you. That can result in nasty things like charge-backs, and over time this can affect your business, and possibly also your reputation. Hand over all the information collection to a third party, and technically you’re off the hook.
4. Before shipping products, check all transaction details
For some businesses this can be a bit complex. If you sell digital products such as eBooks for example, customers usually expect to receive their product almost instantly. If you are selling physical merchandise, you have a little more time to check everything, and you should use it.
Make sure the quantities, prices, and product descriptions match what they should be matching. Also check that any discount or coupon codes are valid.
As you can see, staying secure does not take much effort or expense. It basically means dropping the habits of big corporations. In other words:
• Don’t spy on your customers
• Don’t collect information you don’t strictly need
• Protect the information you do collect
• Delegate compliance responsibility, if possible, by using third party transaction processing
• Review orders before you ship products
The one other thing you should always do is check that refund requests match the amount of the original transaction. It has been known for people to purchase at sale price and refund for full price, and staff don’t always notice.
Feature image curtsey of Fireart Studio