+44 2070601499
Essential safety and security measures of an Ecommerce website

Essential safety and security measures of an Ecommerce website

In today's Ecommerce blog post we review 10 most essential safety and security precautions for any Ecommerce website:

1. No card data - as a rule of thumb, and for many years now, it is highly not recommended to store customer card data in the website database. Doing so would require going through a lengthy and relatively expensive PCI DSS certification, and is also not necessary since many payment solutions allow storing tokens associated with transactions and using those tokens to charge extra or refund when needed.

2. HTTPS - naturally, all Ecommerce websites should use HTTPS links only!

3. Strong password policy - customer accounts should be protected by strong passwords to avoid a possibility of hacking into the accounts. Passwords should be of certain length (8 characters or more), contain small and capital letters, at least one number, and at least one special character. It is a really nice feature when the website can advise on whether passwords entered during the registration are of satisfactory strength. Ecommerce websites requiring extra layer of security could employ a 2 factor authentication where a special time-limited code is sent to the user's registered phone number or email address.

4. Account locking - it is recommended to have the Ecommerce system lock user's account after a number of attempts of logging in with incorrect password. The user shall then be advised to contact customer support to have their account unlocked.

5. Secure password forgotten feature - instead of sending original password to the user or generating new password and sending it to the user via email, the software shall send the user an email with a secure link to come to the website and create new secure password there.

6. No username enumeration - when informing the user of incorrect password entered, the website should not suggest the user name entered was correct. Instead the message should be ambiguous suggesting either username or password are incorrect.

7. No common-name back end - a typical mistake is to leave back end of the website unprotected by extra layer of security (like access from certain IPs only, or additional username and password) and also leave a standard path to the back end instead of changing it to something unique.

8. Regular updates - Ecommerce software version should be always up to date to ensure all the latest features, fixes, and updates are implemented. So should be the back end / server software.

9. Regular checks by independent 3rd parties - it is highly recommended to have regular checks of the website and webserver by independent specialist security agency, as new threats appear regularly and business owners need to be notified about potential vulnerabilities of their Ecommerce solution.

10. Human factor - and yet, one of the most important security factors is human factor. Setting correct permissions, updating passwords regularly, removing accounts of users who have left the company is paramount to ensure Ecommerce online store stays safe and secure.