Lock Down Web Site Security

The ongoing threats of spam, identity theft and data security breaches hang heavily in the air at the close of 2005. Headlines detailing these dangers have made sure your customers are more aware than ever of the perils of buying online.

In fact, 48 percent of Americans avoid making purchases on the Internet because they’re afraid their financial information may be stolen, according to a survey conducted earlier this year by the Cyber Security Industry Alliance.

So what’s a responsible online merchant to do? Following are tips to not only ensure your Web site adequately handles customers’ data, but also make it undeniably clear that buying from your site is safe.

1. Stay informed about privacy regulations. One of the biggest mistakes catalogers and online merchants routinely make is not keeping informed of privacy laws, says Ken Burke, CEO of MarketLive, a Petaluma, Calif.-based e-commerce technology and development company.

The regulatory environment is constantly changing, notes Burke, as state and federal laws attempt to keep up with the growth of e-commerce and the increasing number of data security breaches. Rich Alessi, director of information technology and managed services for MarketLive, points to the Payment Card Industry (PCI) data security standards that went into effect in June as an example of regulations on which catalogers must stay current. Alessi stresses the importance of annually reviewing such rules to keep up with changes.

Organizations such as the International Association of Privacy Professionals (www.privacyassociation.org), the Privacy Foundation, (www.privacyfoundation.org) and PrivacyExchange.org can be helpful resources in keeping up to date on privacy issues.

2. Look for intruders. Once you understand what’s expected of your Web site from a regulatory perspective, make technological improvements to your site, Alessi recommends. High on his list is an intruder detection system (IDS). A passive device that sits on your network and waits for abnormal behavior, an IDS works like an antivirus program, says Alessi. It looks for patterns known to be associated with security attacks and alerts you when it sees one happening, allowing you to take action.

Alessi notes that most major security firms, such as Cisco and Checkpoint, offer IDS solutions. Open source solutions, such as Snort, also are available.

3. Protect your firewall. Burke also recommends installing a demilitarized zone (DMZ) on your network. An extension of the firewall that separates your sensitive database servers from the open access of the Internet, a DMZ contains devices that need to be accessible by regular Internet traffic, such as your Web and e-mail servers.

Alessi describes the DMZ as the middle ground between the untrusted world of the Internet and the full-security zone of your database servers that exist behind your firewall. A hardware solution, a DMZ can be implemented either by adding another physical interface onto your existing firewall or by using two firewalls in a series, with the DMZ coming in between them, says Alessi.

4. Scan your network. Required by PCI, Burke describes network scanning as the low-hanging fruit in the quest to protect customer data. Either internally or using an outsourced provider, all online merchants should scan their networks regularly for security vulnerabilities. Outside providers of scanning services can offer a way to alert your customers that you’re taking steps to secure your Web site. Once they’ve determined your network is free of vulnerabilities, companies such as ScanAlert and SquareTrade provide branded seals you can put on your site that declare it’s secure.

While these companies provide a valuable service by shining a light on areas of your network that may need improvement, the placement of third-party logos also may offer the added value of increasing conversion rates. Officials at ScanAlert say A/B split tests performed by companies using their HACKER SAFE seal have in some cases lifted conversion by 20 percent.

Costs associated with these seals vary, but a standard HACKER SAFE subscription is $1,900 annually, with enterprise services offering features such as expanded reporting available for $5,000 to $14,000 per year.

5. Wear a badge of honor. A badge of honor is a theme that runs throughout your site that identifies you as a proponent of secure shopping, says Burke. Place a phrase such as “Safe and Secure Shopping” in the footer of every page, or put it just on those pages on your site where customers may be concerned with security, such as the shopping cart, first page of checkout, last page of checkout and thank-you page, Burke says.

6. Issue a security statement. Much like your privacy policy describes how you’ll use customer data, a security statement lets your customers know exactly how their information is protected, says Burke. “It shouldn’t be too technical, but it should be a few paragraphs long and explain each tactic you use to keep customer data secure,” notes Burke. Include whether you’re PCI compliant, how often you scan your network and how you encrypt customer information.

Further, try to link security and privacy in your customers’ minds, he says. Your privacy policy is an excellent place to show your customers you care about security. Talking about security in the context of privacy will start to reinforce to customers that you’re taking care of their data, he says.

7. Address security beyond the privacy policy. Bennie Smith, chief privacy officer at New York-based e-marketer DoubleClick, agrees that the privacy statement is a great place to provide disclosures about how customer information is used. But while Smith believes e-commerce sites and marketers have done a great deal to improve site usability, he suggests it’s time to improve how the industry communicates what’s going on behind its Web pages to bolster consumer trust.

Smith asks which pages on catalogers’ Web sites consumers are stopping to ask themselves, “What’s happening?” “This is where we may be able to deliver a bit more messaging,” he says.

For example, at the point in the registration process when asking for a customer’s e-mail address, Smith advocates telling the customer right then how the address will be used. Will the customer get a newsletter, a special offer or an order confirmation?

Taking it a step further, Smith suggests offering a link to click to view a sample of what will arrive via e-mail, or a link that tells exactly how the customer’s e-mail address will be protected.

8. Merchandise security. “Just as you merchandise your products and develop a messaging strategy around that, create a messaging strategy around security,” says Burke. He recommends occasionally including brief security statements in e-mail campaigns and placing short security statements on merchandise pages, especially during slower sales periods. “Feed the knowledge that you’re concerned about security back out to your customer base. They’ll take notice if it’s done in a market friendly way,” Burke says.

9. Segment security communication. The trick is to figure out which customers are most concerned with security and market your secure image to them, agree both Burke and Smith.

Smith says new customers, for example, may need a bit more messaging about security than loyal customers who understand and appreciate your brand. There’s no one-size-fits-all solution, he says.

Burke says it comes down to understanding your customer. Once you know what the customer needs, you can market security the same way you’d market any other value proposition.

The Seals of Trust

Several companies in the online marketplace offer services you can use to assure customers it’s safe to do business with you. These third-party verification services may rate your reliability, data security or vulnerability to outside attacks.

Beyond verification, these companies allow you to display their logos or seals on your site, advertising your compliance with their safety protocols to your customers. Following are several categories of verification seals, what they mean to your customers and companies that offer each service.

* Reliability seals tell the customer you are who you say you are. While most reliability programs validate the mailing address, telephone number and e-mail addresses at a company, it’s important to know that fraudsters easily can set up a fake name and address. To combat this, reliability programs require companies to have a clear record of being responsive to resolving customer disputes. Reliability-seal programs include the BBBOnline Reliability Seal (www.bbbonline.org/business) and Comodo Authenticity (www.comodogroup.com).

* Security seals: A Secure Sockets Layer (SSL) is a protection protocol that allows Web sites to securely transmit sensitive information to their databases. SSL protection is denoted both by “https://” at the beginning of the Web site’s URL and by the image of a lock at the bottom of an Internet browser window.

Security seals verify that a company uses SSL protection. Security seals assure only that data are secure during transmission. Your company could use unsecured methods to process customer data on the back end and still qualify for a security seal. Security-seal programs include VeriSign (www.verisign.com) and GeoTrust (www.geotrust.com).

* Vulnerability seals let your customers know that a third party scans your Web site network regularly and searches for security vulnerabilities. If a vulnerability that could be exploited by hackers appears on your site, companies offering this service will let you know, and often will give a deadline for you to fix it.

The Payment Card Industry data security standards that went into effect earlier this year require that network scans be conducted at least quarterly. If you aren’t scanning your networks or haven’t hired a company to do it for you, you could face fines or expulsion from credit card-acceptance programs. Vulnerability-seal programs include ScanAlert’s HACKER SAFE (www.scanalert.com) and SquareTrade (www.squaretrade.com).

* Privacy seals require that your company respectfully use customers’ personal data. The certification processes for these programs view internal data collection and usage processes to ensure customer data is handled in a safe and secure manner. Often privacy programs will offer ongoing monitoring and allow your customers to file complaints regarding your conduct directly with the program. Privacy-seal programs include TRUSTe (www.truste.org) and BBBOnline Privacy (www.bbbonline.org/business).