E-commerce Insights How to Secure Your Web Site Against Hac
By Alan Rimm-Kaufman
From this article, you'll learn how to start protecting your Web site and customer data from potential security breaches.
A security breach could hit your company without warning. A hacker could bring your firm to its knees with terrifying swiftness. If your Web site is insecure today, hackers could break into it tonight, and tomorrow you could face widespread customer wrath, disastrous publicity and significant legal liability.
If your firm hasn't yet taken steps to reduce your Web security risk, now is the time to do so. Following are suggestions to get you started.
Yes, You Are a Target
Too many catalog CEOs believe their sites escape notice from bad guys due to the size of their companies, the type of goods they sell or their positive corporate reputations. But that's not true, security experts say.
"Every online merchant needs to be thinking about security," says Ken Godskind, vice president of marketing at Coconut Creek, Fla.-based AlertSite, a remote-hosted Web monitoring firm serving more than 1,500 merchants. "The Web is now digital Main Street. User expectations are very high; [site] availability is not a luxury, and security is now a basic requirement."
Sundeep Kapur of NCR Corp.'s Dayton, Ohio-based e-Commerce Solutions Group, which provides e-commerce platforms for catalogers, agrees. "The biggest issue in security is getting management to realize that protecting the customer is key to protecting your brand. You need to acknowledge this risk, handle it and make your customers know you are a reliable place to do business," he says.
Acknowledging you face online risk is the first step to mitigating it. Questions to ask yourself:
- Who in the organization is responsible for Web site security?
- What processes do we have in place to reduce the risk of attack?
- If attacked, do we have a response plan ready?
Your Site Probably Is Insecure
When retailers review their online security vulnerabilities for the first time, in almost every case the merchants find potential holes that require attention.
Ken Leonard, CEO of ScanAlert, a Napa, Calif.-based Web site security certification company monitoring more than 65,000 sites, estimates that 80 percent of his firm's new clients aren't in compliance with online security best practices.
Leonard reminds site owners that good security practices aren't optional — they are mandated by an alphabet soup of regulations and standards, including the Payment Card Industry (PCI) Data Security Standard, the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act.
In June 2005, Visa mandated strict security guidelines for retailers that accept credit card payments online. Yet this past January, Visa reported that only 32 of the 215 largest retailers were in compliance with these PCI standards — a dismal 15 percent success rate.
David Taylor, vice president of security at Protegrity, a Stamford, Conn.-based online security software and services firm, believes PCI compliance among smaller retailers is even worse. Taylor estimates that less than 5 percent of all online retailers are in compliance with the security requirements mandated by the credit card industry (see "How to Comply With the New Payment Card Industry Security Standards," in the September issue of Catalog Success).
AlertSite's Godskind agrees that almost no new clients arrive with clean bills of health. "Most larger e-commerce sites aren't too bad off, but almost every retailer has a few things wrong," he notes.
Questions to ask yourself:
- Which security standards and regulations apply to our business?
- Do we comply with those standards and regulations?
- What penalties do we face for noncompliance?
Do You Store Credit Card Data?
While Web sites collect many types of personal data that must be kept private, credit card information is the key concern for online retailers.
The number of high-profile credit card security breaches reported in the news is rising, with such chilling examples as last summer's attack on Tucson, Ariz.-based CardSystem Solutions, where 40 million accounts were exposed and 200,000 accounts stolen. As most breaches are not reported to the media, the true number of incidents likely is far greater than perceived.
Compounding the problem, ScanAlert's Leonard notes, is that far more online retailers store credit card information than probably need to, and of these, most don't store the data correctly. "By law and regulation, those data don't belong to the merchant. By storing them, the merchant takes on a huge risk and liability," he states.
A merchant may decide to store card information as a convenience to the customer or to speed up order taking in a contact center, but MasterCard and Visa frown on storing credit card data for these purposes.
If merchants must store credit cards, regulations stipulate the data are to be kept in an encrypted format, and all access to them should be logged. Further, Visa regulations prohibit merchants from ever storing Card Verification Value 2 (CVV2) numbers — the three digits on the back signature panel of a Visa card.
Questions to ask yourself:
- Do we store credit card numbers? Where? Why? Do we encrypt them?
- Do we store CVV2 values?
- Could we re-engineer our processes to serve customers without storing credit card numbers?
Have Your Web Site Regularly Scanned
One of the mandates set forth by security regulators is periodic scanning of your site by a certified testing service. Companies like ScanAlert and AlertSite can use automated robots to probe your Web site for potential security holes on a regular basis. Such holes typically are created by failing to correctly configure your Web servers, or by neglecting to keep your Web servers and their operating systems up-to-date with the most recent patches.
These security scanning services are inexpensive, starting as low as $20 per month. Sign up for one. It's likely required by your credit card agreements, the cost is modest, and the security benefits are significant. If your site receives a clean bill of health from a scanning robot, it's certainly more secure, and thus less likely to be hacked.
However, a clean scan does not mean your site is immune to attacks. These scans probe your network at its foundations, down at the protocol level. Wiley hackers instead can attack your site at the application level. Application level attacks often use a technique called "SQL injection," where hackers paste funny characters into your Web forms or into your dynamic URLs. If your site isn't coded securely, these funny characters could allow a determined and savvy hacker to take control of your database. Once in control, the hacker could destroy your site, steal your data and potentially seize customers' credit card numbers.
Commercial e-commerce platforms typically receive more rigorous testing than applications developed in house, and are less likely to have SQL injection vulnerabilities. Database-backed Web applications developed in house, no matter how small or simple, could expose your entire database to hackers if coding errors were made.
Questions to ask yourself:
- Is our site regularly scanned by a certified security monitoring service?
- Are all our online applications purchased, or are some developed in house?
- Have we applied the most current patches to our purchased applications?
- Who is responsible for keeping these patches up to date?
- How do we ensure our in-house Web applications are safe from SQL-injection attacks?
Should You Publicize Your Scans?
Security experts disagree as to whether you should publicize these network scans.
Some experts suggest trumpeting security scanning as a marketing benefit. ScanAlert's Leonard, for example, asserts it's essential for catalogers to bring the security issue up with customers to reassure them.
He believes reassuring customers about security boosts Web-conversion rates. ScanAlert claims catalogers displaying its proprietary "Hacker Safe" certification badge enjoy a 14 percent average increase in Web orders. A few catalogers, such as 4 Wheel Drive Hardware, go so far as to emphasize their "Hacker Safe" Web certification in their print catalogs.
Other experts take a more measured approach to publicizing security processes. AlertSite's Godskind notes some online merchants choose to downplay the security scan certification to their customers, worried that raising the topic could increase customer anxiety. Other marketers express concerns that hackers might read a Web security badge as a challenge, potentially goading them to attack.
The decision to broadcast your security scanning badge is both a brand and a conversion decision, and the right answer can vary by cataloger. Regardless of whether you raise the issue with your customers, regular scans from a certified provider are a wise investment.
Questions to ask yourself:
- How should we describe our security processes to our shoppers?
- Have we tested the conversion impact of displaying a security scanning badge?
Conclusion
Many catalogers have not yet put sufficient resources into securing their Web sites. It's possible your site isn't secure today, and you're not complying with credit industry regulations. Both situations expose you to real and significant business risk.
Your tasks? Read more about security best practices. Get your site scanned on a regular basis. Review how you manage credit card data. Charge your IT team to make your site security compliant with applicable regulations and standards. Establish a response plan, should your site be hacked.
Start taking these steps to protect your site today. With hard work and luck, you can avoid being hacked.
Alan Rimm-Kaufman, Ph.D., leads the Rimm-Kaufman Group, a service and consulting firm providing search marketing management and Web usability services to leading direct marketers. He can be reached online via his site: www.rimmkaufman.com.