Your store's e-commerce data is very valuable, and not just to your business. As more merchants store data and build profiles on their customers to offer customer experience enhancements like seamless omnichannel shopping, cyberthieves are taking notice.
To protect your business from hackers and data theft – and to keep the customer trust you've worked hard to earn – it's important to make sure your company follows data security best practices.
Even if you have a data security program in place, it's wise to review it periodically to make sure you're keeping up with industry changes and evolving security threats. These steps are a good place to start.
Review your company's security budget.
Many merchants focus on fraud prevention solutions, which is critical, because card-not-present and account-takeover fraud have a huge financial impact on e-commerce sellers. However, there should be room in your security budget for data protection as well. A single breach of just a few thousand customer records could significantly damage your reputation and erode your customer base. A breach could also cost up to 4% of your worldwide turnover if the EU's GDPR applies to your business or any of your customers.
Evaluate your encryption practices.
Online stores know that having an SSL certificate and encrypted transmission of payment data is a must to maintain PCI compliance and the ability to accept card payments. However, that's not the only place in your business where encryption is a must.
Any sensitive data – especially any customer data that's covered by GDPR, the new California Consumer Privacy Act or HIPAA in the U.S. – should be encrypted for storage. If you store this data in the cloud rather than on premises, don't assume the encryption your cloud services offer is robust enough on its own. American Express recommends implementing stronger encryption tools than what's bundled with many cloud services. (You'll also need to make sure that your cloud storage is configured properly to keep intruders out.)
Refine your data-collection focus.
Don't collect more data than you need to serve your customers, and don't keep data any longer than you need to. When there's less to store, there's less to potentially lose. Schedule regular reviews of your collected data, and only keep what you need. Destroy or completely delete what you no longer use.
Take stock of your physical data security.
How easy would it be for an employee or visitor to walk out of your offices with a laptop or external storage device with your customers' data on it? Do your employees keep their laptops and phones secured at all times when they're out of the office?
Physical data breaches are rare, comprising only 4% of the attacks, according to the 2019 Verizon Data Breach Investigations Report. But when they do happen, the resulting data loss can generate bad press, brand damage and penalties.
While you're focused on physical security, find out what devices are connected to your network. A comprehensive, up-to-date list can help you and your IT team see who's using your network – with or without your authorization – now and going forward.
Restrict data access, and segment your system.
Not everyone in your company needs access to all your data. Giving employees and vendors access only to the data they need to do their jobs reduces the risk of hackers getting into your customer data via email phishing and account takeover attacks.
Segmenting your network can reduce the risk of data compromise. Separate your customer data from any other systems within your network that don't need access to that data. For example, if hackers break into your building's management system (the system that controls HVAC, alarms and cameras), they may be able to pivot and get into your customer databases if your network isn't segmented. Although it's not a PCI-DSS requirement, PCI recommends segmentation and says it may reduce PCI DSS scope if done correctly.
Require strong passwords, and limit data entry attempts.
Set up your customer, employee and vendor access to require a strong password. Simple passwords are a common risk because they're easy for hackers to guess or crack using bots that can test combinations until they find a match. A longer password that includes special characters, letters and numerals makes guessing virtually impossible and can make cracking take so long that criminals move on to easier targets.
Another way to reduce break-ins via account logins is to limit the number of login attempts a user can make before they are locked out of the system. This prevents password guessing or cracking. Likewise, if your online store's checkout process doesn't already limit card data entry attempts, adding that feature can reduce your exposure to card-testing fraud.
Keep your software patched and updated.
"Every time a vulnerability is disclosed, or a system update or patch is released, a hacker sees an opportunity," cautions the authors of the 2019 Verizon DBIR report. To keep your business from giving hackers that opportunity, make it a priority to patch software vulnerabilities and keep your software up to date.
Strengthen your malware protection.
Website security tools that continuously scan your site for malware can prevent a number of problems, including formjacking attacks that "skim" customer data as they enter it on your site, regardless of SSL protection. Although skimmers have gone after major sites like Ticketmaster and British Airways, they also target vulnerable smaller merchants. Of 40 sites known to be infected by organized skimming group Magecart this year, it appears that several are small business retailers.
Malware protection for your company's email system is important, too. Business email compromise (BEC), a type of targeted phishing that impersonates company executives, vendors and customers, accounted for half of all U.S. cybercrime losses in 2019, according to the FBI. In a BEC attack, fraudsters may impersonate an executive and request that an employee make an "urgent" wire transfer to a vendor with a particular bank number. Or they may target the payroll department with a request to reroute an executive's direct deposit to a "new" account.
Email is also a vector for other types of cyberattacks, including ransomware that can lock you out of your company's databases and bring your business to a standstill. Although ransomware attacks typically make the news when they hit government agencies, it's a growing threat to businesses of all kinds. In 2019, about 40% of EU-based SMBs said they'd been the victims of ransomware attacks, most often due to phishing emails.
Check your chargeback rates.
Poorly secured data can lead to card-not-present and account takeover fraud that results in costly chargebacks. Monitoring your chargeback rate can help spot emerging fraud patterns and keep your payment processing rates as low as possible.
If you see a spate of fraud-related chargebacks on orders that made it through your anti-fraud controls (or if you get a wave of complaints about customer loyalty points going missing), it's possible that criminals have taken over customers' accounts with your store and used their stored data to commit fraud. It's also possible that they've extracted that customer data to create new accounts elsewhere.
If this happens, it's important to work closely with your customers to resolve the problem. To detect it sooner, consider adding group order analysis to your anti-fraud program to quickly spot trends that indicate sophisticated fraud.
Build a data breach response plan.
After all these tips on keeping bad actors out of your systems, it may seem odd to recommend that you plan for a breach. However, a written plan can help you limit the damage in case of a breach by helping you decide what to do with infected equipment and systems, who to call for help and who to contact to report the incident.
Following a plan may also limit your liability by helping you to meet legal requirements and deadlines for breach reporting. For example, the GDPR requires entities to report customer data exposure within 72 hours of discovering it.
Working through all the steps in this checklist may take a while, but then, cybersecurity is an ongoing process. Once you've identified the areas where your business can improve, and made those improvements, keep reviewing your data protection practices to keep up with the always-evolving threat landscape. Doing so will help you keep your customers' trust and help your business stay healthy.