Data security for online retail and eCommerce

Our approach to securing our customers’ systems is three-fold:

1. The best possible architecture to our hosting environment for data security and website availability;
2. Monthly, quarterly and annual security testing for internal and external vulnerabilities, including penetration testing; and
3. External review of our systems and security, and attestation of our Payment Card Industry Data Security Standards (PCI DSS) compliance by our Security Partner, Hivint.

The danger of a data breach for merchants big and small is very real – around four million records are compromised every day, with retailers consistently leading the pack as the industry most targeted. What’s more is that small businesses are increasingly the focus of attacks, as criminals seek to target the “low hanging fruit”. 

We have been providing secure eCommerce systems for many years, and have experienced many of the tricks and traps to managing data security. Using this experience, we can enable your business to ensure your critical systems and data are protected.

 

Why should I need to worry about security?

 

We generally find our customers approach cyber and data security in one of two ways:

1. Concern about the rise of security breaches and online fraud has motivated them to mitigate the risks to their business; or

2. They believe they are too small to be a target or that their service provider will take full responsibility in the event of a breach.

As a service provider, we can mitigate many of the risks posed to businesses operating online. However, many over-estimate the protection service providers can offer and miss essential steps they must take themselves to take charge of their own security – even though ownership of their security often means ownership of their business.

For eCommerce merchants, many of the PCI DSS requirements are about understanding your own business:

• Who has access to your sensitive information?
• Have you provided guidance on how they can protect it?
• What will you do if something goes wrong?
• How will you recover when the dust settles?

What must be considered for any retailer operating online is that not being able to show PCI compliance following a compromise can result in fines or penalties, loss of revenue and customers, and even an inability to handle future credit card transactions. We regularly hear stories of merchants that have been banned from transacting because of a failure to maintain security. Unfortunately, these situations occur most commonly with open source solutions, where modules can be easily added to an online store without a review taking place of the security impacts elsewhere on the website.

 

Knowing what steps you can take to protect your business is essential, even with a PCI DSS Compliant provider

 

It is important to recognise that compliance is a tool for improving your security posture and understanding your risks – it is not a “magic bullet” solution. A clear example: Target was certified in 2013 as PCI DSS compliant just weeks before criminals extracted more than 70 million sensitive records from their system, costing the company up to USD$1 Billion by some estimates. How did this happen? Simply put, the security measures were in place but the people didn’t know what to do with them.

Service providers generally will not provide your staff with security awareness training, nor will they take responsibility for removable media usage outside of their environment.

If your business employs a wireless network, it is typically your responsibility to ensure it is sufficiently segregated from where you store your sensitive information. We believe the most vital component is fostering a security-conscious culture: every team member must know what information requires protection and what they can do to safeguard its security. Self-awareness is one thing that cannot be outsourced and data protection must be incorporated into business practices at all levels. Security infrastructure is useful when something goes wrong – but it is your people who will prevent a breach before it occurs.

The cost of a breach isn’t just financial too – ongoing market viability is contingent upon customer trust, and the reputational costs for eCommerce merchants can be catastrophic.

Following the Australian Government’s establishment of the Notifiable Data Breaches Scheme businesses will be compelled to notify individuals affected by compromises. No longer will security incidents be swept under the rug, so the time to invest in a robust and secure platform is now.

Regardless of whether your service provider is PCI DSS compliant, it is important to know that every eCommerce merchant is required to annually satisfy the PCI DSS requirements. While those requirements vary depending on the size of the eCommerce business, even the most basic self-assessment questionnaire (PCI DSS SAQ-A) has 14 requirements and the requirements for most online stores (PCI DSS SAQ-A-EP) has 139 requirements that need to be satisfied, including regular vulnerability scans to be performed by an Authorised Scanning Vendor (ASV).

 

How does eCorner manage this for me?

 

eCorner specialises in secure online systems for eCommerce

 

eCorner has been providing secure, PCI DSS compliant hosting systems since 2004 and is trusted by some of Australia’s largest businesses including the two of the big banks and the QLD Government to host sensitive systems.

All of eCorner’s hosting and back-ups are 100% in Australia. No data is passed offshore.

All hosting provided by eCorner includes a range of security, scanning and reporting features so you can be confident your infrastructure is secured to the highest levels.

 

Security – Logical configuration of hosting environment

eCorner’s hosting infrastructure, whether you are on our Enterprise platform or one of our online shops is designed to minimise the risk of a security breach while still ensuring your business’s site is available to your customers.

The network has been configured to ensure that all traffic can be monitored and controlled at multiple levels within our infrastructure.

 

 

Tier-1 Datacentre - Macquarie Telecom

 

eCorner partners with Macquarie Telecom to provide the physical backbone to our hosting environment and our off-site back-up service.

 

Availability

 

Data centre power is supplied via redundant power components to guarantee continuous power availability. In-building dedicated power substation, uninterruptible power supply systems (UPS), battery backup and multiple diesel-powered generators provide the necessary power during utility interruptions, such as weather-related events or transmission system failures.

 

Efficiency

 

Macquarie Telecom's high-speed Tier 1 Backbone Internet connection provides you with significant advantages in speed and throughput, delivering the highest quality bandwidth. The architecture provides redundant and diverse Internet connectivity, protecting against fibre cuts and router outages.

 

Physical Security

 

Data Centre has multiple security measures to enhance physical security. Mantraps, access-card, biometric scanning, and round-the-clock interior and exterior surveillance monitors protect access to the data centre. CCTV, including motion detection and fixed cameras utilise digital recording capability and video archival. Certifications including ISO27001, ASIO T4 Intruder Resistant and DSD “Highly Protected”.

 

Data centre – PCI DSS Compliance

 

Macquarie Telecom Intellicentre is certified as a fully PCI DSS Compliant data centre.

 

Always-on Distributed Denial of Service (DDoS) Protection

 

Macquarie Telecom provide us with a DDoS protection service which provides us with immediate protection the instant any unusual traffic is identified, and regular reporting on any DDoS style activity detected targeting anything on our networks.

 

Infrastructure

 

Our firewalls, switches, routers and servers are enterprise grade devices that are fully supported by the manufacturers on 2 hours – 24/7/365 support agreements.

 

Data centre – Redundancy

 

If required, Macquarie Telecom provides eCorner an additional layer of redundancy with failovers into the Macquarie Cloud Services virtual environment.

 

Security – compliance and maintenance

 

eCorner’s hosting infrastructure is designed to meet or exceed the requirements under the PCI DSS standards (currently PCI DSS v3.1, moving to v3.2 in 2017) and, as such, we undertake annual independent audits of our compliance to the current standard conducted by Hivint.

This compliance includes an annual review of all secured systems as well as ongoing testing and review activities throughout the year to identify and manage any new or emerging risks to hosted secure systems.

 

Penetration Testing

 

The PCI DSS standards require that all secured systems undergo annual penetration testing to identify vulnerabilities at risk from attack by hackers. This testing is undertaken at multiple layers of the infrastructure including the web exposed layer, network layer, application layer as well as certain internal penetration tests to determine if your application is vulnerable from an internal user undertaking unauthorised activities.

 

Firewall configuration review

 

The physical and software configurations of all firewalls within the network are reviewed on an annual basis by an independent third party to ensure all physical and virtual firewalls are optimised to minimise the risk of vulnerability to unauthorised access.

 

PCI DSS Audits

 

eCorner engages an independent auditor (most recently Hivint) to undertake an annual audit of our compliance with the PCI DSS requirements. This includes a full review of the 347 factors considered by the PCI DSS requirements under the SAQ-D (Service Provider) encompassing potential risks at all levels of an enterprise from corporate policies, management and personnel risks, physical and infrastructure security risks, vulnerability scanning and many more. For a full list see: www.pcisecuritystandards.org.

 

Internal and external vulnerability scans

 

eCorner maintains both internal vulnerability scanning tools and an external vulnerability scanner to ensure any risks are identified and remediated as early as possible. All of our hosted infrastructure is scanned on a monthly basis, with any flags actioned immediately to resolve identified threats before they become critical.

 

Uptime and availability monitoring

 

All eCorner hosted systems are continuously monitored by an online, availability tracking and reporting tool. Any outages are immediately notified to all key members of eCorner’s technical and management team, who have a chain of reporting to ensure outages originating at eCorner’s infrastructure are responded to as soon as they are identified.

 

Need some more information or assistance?

 

This post has been co-written by our Security Partner, Hivint who provide a range of cyber security consulting, review and compliance services and are Australia's fastest growing cybersecurity consultancy.

Thank you Eric and Elliot for your valuable contributions.

eCorner and Hivint would be happy to assist to answer any questions you have about cyber security, your obligations and eCorner’s solutions.

 

Written and published in partnership by Elliot Dellys, Senior Security Advisor - Hivint Pty Ltd and Jae Debrincat, General Manager – eCorner Pty Ltd