E-commerce industry is booming, so are the incidents of data breaches and hacking. Last year saw 174 million compromised data records which are significantly higher than those recorded in 2011. Online retail and shopping hold a large share of these security breaches as hackers are lured by these money stores and the confidential data they hold.
Security breaches at an ecommerce website not just cost both the brand and the buyer financially, but also affect the overall trust of the consumer. For this reason, in late 2004, leading credit card companies devised a set of rules and named them ‘PCI DSS’ (Payment Card Industry Data Security Standard).
These guidelines ensure that online retailers and merchants take precautionary security measures while storing, handling and transmitting cardholder information. In this first part on e-commerce security, we will provide strategies that can ensure that your revenue engine is PCI-Compliant or safe enough to hold consumer trust.
Firewall your servers and application:
When we compared public IT infrastructure with private ones, we mentioned that how 50% of the enterprises do not deploy additional firewall other than default configuration. Server and application firewalls need to be properly implemented and maintained. The truth is firewall plays a pivotal role in securing confidential user data from viruses and trojans.
To give fort-like protection to servers, IBM provides two techniques:
1. The first and a quite commonly used one is setting up a demilitarized zone (DMZ) by deploying two firewalls. The outer firewall handles the incoming and outgoing HTTP requests. Once the request reaches the application server, it has to pass through another firewall. Both these firewalls have intrusion detection that can detect unauthorized access.
2. The second method, known as ‘honey pot’, is used to bait hackers by placing a fake server in the DMZ. Any attempt to access to these servers is detected and then can be monitored and traced.
Access controls:
Authentications and authorizations ensure that no intrusion attempts are made to access the network. Most companies use two-factor authentication and though it can add inconvenience to users, it can ensure that even in case of password hacks the user information is not compromised. The most common two-factor authentication method is creating a one-time password and messaging it to the cell phone.