Internet users have always been wary of providing personal and financial information online, but as the web has grown, so has the number of transactions, as well as the number of sites seeking orders for products or services. Customers have grown more accustomed to providing their information to many kinds of businesses, but privacy concerns continue to grow. In the wake of the recent concerns about privacy on Facebook, I wanted to focus on the privacy of e-commerce site customers as well.
The last thing your business can afford is public recognition of lapses in privacy and security. But the concerns go far beyond customer perception as well. The emergence and growth of PCI Compliance puts a serious legal and financial burden on companies of all sizes to protect their customers’ credit cards and other financial information in an effort to prevent fraud.
If you haven’t performed a recent review of your practices relating to both privacy and security, now is a good time. And if you’ve never really given it much thought, please keep reading and then develop your own plan to maintain your customer’s valuable information.
The First Step: An SSL Certificate
An SSL certificate is essential to protect sensitive information as it is transmitted over the internet, such as when a form containing personal or financial information is submitted by a customer. SSL Certificates can be purchased from a number of providers, including Verisign, GeoTrust, Comodo, and many others. The SSL certificate is engaged when the web site is accessed with a URL beginning with “https” instead of “http”, encrypting both the request (submission of the form or requesting a web page via a URL) and response (the information that is sent back to the browser).
All sensitive information should be collected and presented on pages served over HTTPS using the SSL certificate. Customers often look to the “lock icon” in the corner of their browser window to ensure that a page asking for this information is secure.
Credit Card Information
The best thing you can do to protect customer’s credit card information is to NEVER store it in the first place. If your website uses a real-time payment gateway such as Authorize.net or Payflow, the customer’s credit card is passed through to the gateway, and charged or authorized for the sale, and typically doesn’t need to be stored on your server at all. Instead, reference or transaction numbers are stored in your system so that transactions can be reviewed and pre-authorizations can be captured. If your site or database gets compromised, there are no raw credit card numbers and expiration dates that can be stolen.
If you can’t use a real-time gateway for any reason, make sure you download the payment data over a secure connection (https over a browser, or sFTP instead or regular FTP). Then delete it from your web server as quickly as possible, as well as removing it from your local systems, once the payment has been processed. If you make efforts to delete the data regularly, then a breach of your web site will expose as few credit card numbers as possible (those that have been provided since you last deleted data).
The one thing you should never store in any capacity is the CVV number, also known by other acronyms including CVC, CVV2, and CID. This is the 3- or 4-digit number on the front or back of credit cards, separate from the actual credit card number, that is not embossed or raised and therefore doesn’t show up on a credit card imprint. Credit card companies such as VISA and MasterCard pose significant fines on merchants who violate the mandate to not store the CVV code, even if a breach has not occurred. You may also lose the ability to process credit card transactions in the future.
Customer Names and Addresses
Although not as fraught with concerns as issues with payment data, protecting customers identifying information, especially their home address, is still of ultimate importance. Customers often don’t want other people finding out their full names or their home address, or even their employer, due to concerns about identity theft. (The more information a potential identity thief collects, the more likely he can impersonate the victim).
All pages that refer to a customer’s account, full name, and address should be served over HTTPs, so that the SSL certificate encrypts the data being transmitted. Other pages such as order history are also recommended for SSL protection, especially if your products are sensitive – think medical supplies, prescriptions, adult items, etc.
You should also test your site’s account creation, log-in, and forgotten password functions. Make sure there are no security holes in these processes.
Think Carefully about Open-Source Software
Open-source shopping carts are growing in popularity, due to the low cost (often free) and the typically large developer/user communities surrounding them. However, in the case of software whose source code is available to the public, it’s often much easier for hackers to find and exploit holes. WordPress, arguably the most widely-used blogging platform, has had to issue numerous updates to patch security holes and bugs that were found by hackers. Shopping cart software is no less prone to problems, and the results of losing customers’ credit card numbers can be much worse than having your blog replaced by a defaced page (porn or not!)
Additionally, open-source software is often not subjected to the same compliance issues as software that is funded by sales instead of being free. For example, even Magento’s Community Version, the current golden child of the open-source shopping cart market, won’t be PA-DSS compliant…so unless you purchase the Enterprise Edition (which is not free!) you won’t meet this required standard.
Another area of your site to review includes searchable areas like gift registries, wishlists, and other kinds of customer lists (such as those Amazon allows customers to create and share). For example, when a person searches your gift registry, does your site return too much information about matching records? If you display first and last name, city, and state, it could be too much information to maintain customers’ privacy. Limit the information to as little as possible, while still allowing gift shoppers to recognize the person they are shopping for.
Limit Employee Access
You should also limit your employee’s access to customer and payment information only to those people who need to access it to perform their jobs. Employees come and go, sometimes under contentious circumstances. When an employee leaves the company, delete his or her account or change its password so that the former employee can no longer access the information. Also, encourage (or enforce) employees to use strong passwords and to periodically change them to protect their accounts from unauthorized access.
Many shopping carts and accounting systems allow you to configure user accounts to access only certain parts of the application. Often, you can allow your web developers, customer service representatives, and other employees to access the necessary parts of your system without giving them access to customer records and payment details.
Application Integration and Data Sharing
When sharing data between your cart and other applications (such as accounting systems, CRM systems, even a mailing list application), don’t transfer more data than necessary. Your mailing list doesn’t need the customer’s credit card information – not even the last four digits. So why bother? If it’s not needed, don’t keep it there. Don’t download data you don’t need into Excel and keep it on your hard drive either. And be very careful to make sure you don’t email credit card information to anyone! It’s surprising how many retailers and developers aren’t conditioned or informed about the risks of emailing sensitive data.
Review Your Database
Look at how your shopping cart stores customer records and allows forgotten passwords to be retrieved. Are your customers’ passwords encrypted before being stored in your database? Are passwords mailed in plain-text, where anyone with a packet sniffer can intercept them? Or do you email the customer a password reset link sent instead? Can site administrators see the old password or just reset it to a new one?
Communicate the Good
The larger and more visible your company grows, the more important it becomes for you to deal with these issues BEFORE you a breach occurs. When it makes sense financially to do so, consider online services such as McAfee Secure or ControlScan, and later, consider hiring a company that specializes in website and computer security services. The peace of mind, and lack of future problems, will likely make it worth every penny.