5 Tips for Keeping Your Website and Customer Data Safe During the Holidays
We’ve witnessed record-breaking security breaches this year against e-commerce sites. Regardless of size and IT security budget, no company is 100 percent immune from risk. Yet the reality is that many of the breaches in 2011 were preventable.
With the busiest online shopping period of the year in full swing, have you made sure your customers’ credit card data and personally identifiable information (PII) is as secure as it could be? Below are five tips for online retailers to help them prevent their websites from being hacked and to keep their customer data safe this holiday season and beyond:
1. Follow PCI DSS guidelines for processing sensitive customer data. Online retailers are required to comply with PCI guidelines for processing customer credit card data. You should safeguard other PII data equally well. Hackers continue to target personal information — which hasn’t historically been held to the same security standards — for use in phishing campaigns. Web merchants without the resources to manage PCI compliance internally should outsource their checkout process to a PCI-compliant service provider like PayPal.
2. Upgrade your server software. Low-level software vulnerabilities occurring on the servers powering your network and websites create an easy point of entry for hackers. Fortunately, these old-school techniques for accessing sensitive information can easily be fixed by ensuring your system software is up to date. For example, if it’s a LAMP server, then upgrade your Linux kernel and make sure your MySQL, Apache and PHP are up to date.
3. Update your e-commerce software. Beyond keeping your system software current, ensure your front-end software, including social commerce plug-ins and forum and shopping cart software, is always up to date. Be sure to remove any old software that you previously installed but is no longer in use. If you write your own software, be sure to have it screened for security vulnerabilities.
4. Follow best practices for creating admin credentials. Unfortunately, the amount of credentials a person is required to maintain has grown beyond a manageable number. This has led merchants to assign standard admin login credentials that are reused across different system access points, thereby increasing the risk that the site will be compromised. Avoid reusing credentials at all costs and be sure to construct strong passwords. For example, select a favorite quote or phrase, then use the first letter from each word, including punctuation, to construct a password.
5. Scan your website for vulnerabilities. According to a study by Websense, 79.9 percent of websites containing malicious code were legitimate sites that had been compromised. Merchants should closely monitor whether their sites are participating in the spread of malware. This can happen through many factors that aren't under your direct control, such as comments from users and links included by your hosting provider. Qualys has created a free service that your webmaster can use to automatically run a daily check on your websites to alert you to any issues.
If you're outsourcing services such as credit card processing, e-commerce services or web hosting, the above still applies. Discuss the above with your service providers to ensure they're taking these security tips into consideration.
Wolfgang Kandek is the chief technology officer for Qualys, a provider of cloud-based information security and compliance solutions. Wolfgang can be reached at wkandek@qualys.com.
