eCommerce Security in Troubling Times

It is always extremely important to be aware of malicious and fraudulent activity. But right now it is even more important to be ver aware and not to take risks. We have seen many examples of both attempted malicious activity and frauduent use of financial information including credit card data. Although most online merchants immediately relate to the issues around fraudulent orders for goods on their online store most don't consider the soft acquisition of personal data that can be harder to find and more dangerous. Data is not just stolen from your website but anywhere information is passed can be vulnerable such as social media channels, marketplaces or external systems connected by APIs (Application Program Interfaces) that carry data between systems.

API Malicious Attacks

We recently saw an example of 3rd party APIs being used maliciously to validate what were probably stolen credit card numbers. Risk and cost does not just come from money that is lost to a chargeback caused by fraud. Many payment gateways now charge merchants for attempted malicious use of their APIs. Automated bots that attack an API can deliver 1000's of requests in a matter of minutes. These requests to appear to be valid attempts to enter a card number incorrectly. So from surface view its business as usual and the customer just entered the wrong card number. But in reality is is a hacker checking the validity of card numbers acquired illegally.

Malicious activity can be difficult to identify from the everyday actions of customers.

eCorners Approach

Our approach to securing our customers’ systems is three-fold:

1. The best possible architecture to our hosting environment for data security and website availability;
2. React fact to new threats and close any suspected risks;
3. Monthly, quarterly and annual security testing for internal and external vulnerabilities, including penetration testing; and
4. External review of our systems and security, and attestation of our Payment Card Industry Data Security Standards (PCI DSS) compliance by our Security Partner, Hivint.

The danger of a data breach for merchants big and small is very real – around four million records are compromised every day, with retailers consistently leading the pack as the industry most targeted. What’s more is that small businesses are increasingly the focus of attacks, as criminals seek to target the “low hanging fruit”. 

We have been providing secure eCommerce systems for many years, and have experienced many of the tricks and traps to managing data security. Using this experience, we can enable your business to ensure your critical systems and data are protected.

Why should you need to worry about security?

We generally find merchants approach cyber and data security in one of two ways:

1. Concern about the rise of security breaches and online fraud has motivated them to mitigate the risks to their business; or

2. They believe they are too small to be a target or that their service provider will take full responsibility in the event of a breach.

As a service provider, we can mitigate many of the risks posed to businesses operating online. However, many over-estimate the protection service providers can offer and miss essential steps they must take themselves to take charge of their own security – even though ownership of their security often means ownership of their business.

For eCommerce merchants, many of the PCI DSS requirements are about understanding your own business:

• Who has access to your sensitive information?
• Have you provided guidance on how they can protect it?
• What will you do if something goes wrong?
• How will you recover when the dust settles?

What must be considered for any retailer operating online is that not being able to show PCI compliance following a compromise can result in fines or penalties, loss of revenue and customers, and even an inability to handle future credit card transactions. We regularly hear stories of merchants that have been banned from transacting because of a failure to maintain security. Unfortunately, these situations occur most commonly with open source solutions, where modules can be easily added to an online store without a review taking place of the security impacts elsewhere on the website.

Knowing what steps you can take

It is important to recognise that compliance is a tool for improving your security posture and understanding your risks – it is not a “magic bullet” solution. A clear example: Target was certified in 2013 as PCI DSS compliant just weeks before criminals extracted more than 70 million sensitive records from their system, costing the company up to USD$1 Billion by some estimates.

How did this happen? Simply put, the security measures were in place but the people didn’t know what to do with them.

Service providers generally will not provide your staff with security awareness training, nor will they take responsibility for removable media usage outside of their environment.

Other recent examples like Canva where over 130 million accounts were exposed as a result of a malicious attack, Weibo in China lost over 170 million user accounts which were published and Marriott suffered a long term exposure which compromised 500 million customers.

Secure your environment

If your business employs a wireless network, it is typically your responsibility to ensure it is sufficiently segregated from where you store your sensitive information. We believe the most vital component is fostering a security-conscious culture: every team member must know what information requires protection and what they can do to safeguard its security. Self-awareness is one thing that cannot be outsourced and data protection must be incorporated into business practices at all levels. Security infrastructure is useful when something goes wrong – but it is your people who will prevent a breach before it occurs.

The cost of a breach isn’t just financial too – ongoing market viability is contingent upon customer trust, and the reputational costs for eCommerce merchants can be catastrophic.

Following the Australian Government’s establishment of the Notifiable Data Breaches Scheme businesses will be compelled to notify individuals affected by compromises. No longer will security incidents be swept under the rug, so the time to invest in a robust and secure platform is now.

Regardless of whether your service provider is PCI DSS compliant, it is important to know that every eCommerce merchant is required to annually satisfy the PCI DSS requirements. While those requirements vary depending on the size of the eCommerce business, even the most basic self-assessment questionnaire (PCI DSS SAQ-A) has 14 requirements and the requirements for most online stores (PCI DSS SAQ-A-EP) has over 140 requirements that need to be satisfied, including regular vulnerability scans to be performed by an Authorised Scanning Vendor (ASV).

Notification About the Use of Cookies

Cookies are an important part of how most websites and online stores operate. They can be used for malicious purposes and to collect data. Many countries around the world have legislated that you must notify your visitors about the use of cookies and provide an opportunity to opt-out. It has become an important part of the trust factors on your website.

What are the trust factors online?

If you have not had dealings before then it is difficult determining that you will trust a business or online store. So you need to look for the signs of trust. The following are some of the key items that you should make sure are covered correctly in the content of your online store:

Contact information - always provide contact information like an address, phone number (not a mobile), business email address and business credentials (ABN, ACN, or Business Registration). Tip: Avoid using generic email addresses like hotmail addresses.

About us - tell your visitors a little about you and your business. Information like when it started, who is involved, what the business does. All this will help people know you and help them develop trust.

Contact us - provide a simple email form that allows people to easily send you a message or get in contact, though these need to be followed up promptly to provide confidence that it's being monitored.

Terms & Conditions - provide people the right legal information about doing business with you. Note: you are legally required to have certain information on your site such as refund policies etc.

Returns and Refunds - make it clear to your visitors how you will accept returns of products and how you will handle refunds. Make it as simple as possible.

Payment processing - tell your customers up front how you will handle payment and who is processing your payments online. Make sure that any payment service provider account is in the business name. Put the payment provider logo on your website - gateways will often supply links to additional security and compliance information to provide your customers additional confidence.

SSL Certificate - install and use a Private SSL Certificate in your business/domain name and prominently display the certificate provider trust logo.

Privacy policy - let your visitors know what you will be doing with the information that you collect.

Cookie Notification - notify your customers that cookies are used on your website and provide an opt-out option.

GDRP and MDB Compliance - Provide a compliance statement for EU General Data Protection Regulations (GDPR) and Australian Mandatory Data Breach (MDB) rules.

Provide a secure Payment Method

One of the most important aspects of selling online is, of course, getting paid. When consumers come to your online store the first step is looking for that perfect product. But hopefully they will want to buy it for themselves which is the result you, the merchant, want. Now comes the important part paying for the purchase. Mistakes here can cost you a sale and bad experience might cause a return and refund as well as a lost future return customer and more sales. So it is important that you use trusted payment providers to handle the online transaction. eCorner no longer allows merchants to collect credit card data manually as it is unsafe and a breach of the payment card industry data security standards. So we have chosen to work with a number of secure payment providers that comply with the highest level of security and trust standards. You can find more information about accepting payments online in our frequently asked questions. You should tell your customers how important payment security is by displaying the correct information.

• Always display the payment provider logo on the website (maybe in the footer) and also in the shopping cart.
• Always have information about security in your terms and conditions.
• Always display the SSL Certificate provider logo in the footer.
• Always use a secure payment provider.

3D Secure

Some bank and card providers support 3D secure which introduces and extra level of security in the authenication of the card holder. If you are concerned about frauduent transactions consider using 3D Secure.

Anti-Fraud Systems

Many payment providers may have services that will scan transactions and validate the transaction using some rules that the merchant can manage. One example of such a system is eWAY Beagle Anti-fraud. You should speak with your payment provider to determine what systems are available.

 

 

The Google Factor

Google also has had an impact on trust and has moved to require all websites to always have an SSL certificate and also always use encryption (HTTPS) on every page of the website. The move has been applauded by many but in some situations has resulted in lots of pain and frustrations. Older websites often just cannot accomplish what Google requires and sometime do not need to. Many small business owner just don't know what to do.

eCorner has enabled always on SSL encryption with the latest releases of our online shop platform.

There is a impact either way, Once the move is made to HTTPS always then there is an immediate impact on SEO results that can take weeks or months to recover. Google has indicated that websites that support the correct security levels will see better results in organic search. However there is only a small initial improvement that will not be seen until Google fully crawls and indexes the new HTTPS pages.

Google is not really the bad guy and what they recommending is now becoming a necessity for online stores that handle credit card processing security requirements of the Payment Card Industry Data Security Standards (PCI DSS). Putting security first is always important and will result in improved trust and less risk.

How does eCorner manage this for our merchants?

eCorner specialises in secure online systems for eCommerce

eCorner has been providing secure, PCI DSS compliant hosting systems since 2004 and is trusted by some of Australia’s largest businesses including the two of the big banks and state and federal Government to host sensitive systems.

All of eCorner’s hosting and back-ups are 100% based in Australia. No data is passed offshore.

All hosting provided by eCorner includes a range of security, scanning and reporting features so you can be confident your infrastructure is secured to the highest levels.

Security – Logical configuration of hosting environment

eCorner’s hosting infrastructure, whether you are on our dedicated Enterprise platform or one of our hosted online shops is designed to minimise the risk of a security breach while still ensuring your business’s site is available to your customers. The network has been configured to ensure that all traffic can be monitored and controlled at multiple levels within our infrastructure. eCorner will scan and identify potential threats and block IP Addresses that we consider to have a high risk.

Macquarie Cloud - Macquarie Telecom Data Centre

eCorner partners with Macquarie Cloud Services to provide a cloud based virtual data centre for all of our hosting environment and our off-site back-up service.

Data centre – Compliance

• Tier III certified by the Uptime Institute.
• ISO 27001:2013
• PCI DSS 3.2.1.
• SCEC Zone 3 & higher
• ISO 45001, 9001 & 14001
• SSAE SOC 2
• NABERS 5-star rated (Planned)
• 100+ NV1 Federal Government Cleared Engineers
• ISO9001:2015 (Quality Management Systems)
• ISO14001:2015 (Environmental Management Systems)
• ISO45001:2018 (OH&S Management Systems)

Distributed Denial of Service (DDoS) Protection

Macquarie Telecom provide us with a DDoS protection service which provides us with immediate protection the instant any unusual traffic is identified, and regular reporting on any DDoS style activity detected targeting anything on our networks.

Data centre – Redundancy

If required, Macquarie Telecom provides eCorner an additional layer of redundancy with failovers into the Macquarie Cloud Services virtual environment.

Security – compliance and maintenance

eCorner’s hosting infrastructure is designed to meet or exceed the requirements under the PCI DSS standards (currently PCI DSS v3.2.1) and, as such, we undertake annual independent audits of our compliance to the current standard conducted by Hivint.

This compliance includes an annual review of all secured systems as well as ongoing testing and review activities throughout the year to identify and manage any new or emerging risks to hosted secure systems.

Penetration Testing

The PCI DSS standards require that all secured systems undergo annual penetration testing to identify vulnerabilities at risk from attack by hackers. This testing is undertaken at multiple layers of the infrastructure including the web exposed layer, network layer, application layer as well as certain internal penetration tests to determine if your application is vulnerable from an internal user undertaking unauthorised activities.

Firewall configuration review

The physical and software configurations of all firewalls within the network are reviewed on an annual basis by an independent third party to ensure all physical and virtual firewalls are optimised to minimise the risk of vulnerability to unauthorised access.

PCI DSS Audits

eCorner engages an independent auditor (most recently Hivint) to undertake an annual audit of our compliance with the PCI DSS requirements. This includes a full review of the 347 factors considered by the PCI DSS requirements under the SAQ-D (Service Provider) encompassing potential risks at all levels of an enterprise from corporate policies, management and personnel risks, physical and infrastructure security risks, vulnerability scanning and many more. For a full list see: www.pcisecuritystandards.org.

Internal and external vulnerability scans

eCorner maintains both internal vulnerability scanning tools and an external vulnerability scanner to ensure any risks are identified and remediated as early as possible. All of our hosted infrastructure is scanned on a monthly basis, with any flags actioned immediately to resolve identified threats before they become critical.

Uptime and availability monitoring

All eCorner hosted systems are continuously monitored by an online, availability tracking and reporting tool. Any outages are immediately notified to all key members of eCorner’s technical and management team, who have a chain of reporting to ensure outages originating at eCorner’s infrastructure are responded to as soon as they are identified.

Need some more information or assistance?

We thank Hivint our security partners for providing some of the information in the blog and also Macquarie Telecom - Macquarie Cloud Services for information and support with our hosting environment.

If you require information or assistance please contact eCorner.