Five Tips for Merchants to Ensure Your Online Store is Safe

Five Tips for Merchants to Ensure Your Online Store is Safe

The past year has seen merchants, like many organizations, forced to adapt and change the way they work. Businesses rushed online to sell as lockdowns shuttered the high street, while employees were required to work from home. As essential as these trends were from a business perspective, they may also have introduced extra cyber risk.

The truth is that customer card data remains a highly lucrative target for cyber-criminals. It has made retail the most targeted sector for three years in a row, with the majority of attacks last year focused on stealing card-not-present (CNP) data, according to one report.

That’s why ZeroRisk has put together a handy five-point guide to help you protect your online store. It’s based on the findings of detailed research we’re currently finalizing on the e-commerce risks facing Irish merchants.

Why security matters

PCI DSS compliance can be a burden. Merchants are unsure which tools they need to stay protected and can find the whole process an administrative nightmare, which offers little obvious value. For smaller businesses with fewer resources the challenge is multiplied. Acquirers are sometimes guilty of failing to provide the necessary support and guidance to streamline the process and communicate its importance.

However, it’s never been more important for merchants to manage cyber risk in their business. Investments in cloud-based technologies have helped to support remote working and online commerce, but they may also expose your business to new threats. Home workers, for example, could be using unsecured networks and devices, and/or be more distracted and prone to fall for phishing attempts. Internal IT support may be less easy to get hold of.  

In the meantime, cyber-criminals continue to probe for any gaps in protection. According to IBM, scanning for and exploiting vulnerabilities was the number one threat vector in 2020, surpassing the perennial favorite of phishing. It also warned that Europe was the most attacked geographical region, accounting for nearly a third of attacks. And targeting of cloud systems was commonplace.‍

Five tips to stay secure 

In light of these escalating threats, we recommend merchants:

1. Use a PCI DSS-compliant payment page (e.g. shopping cart, payment gateway), and if possible, always choose to have it fully hosted by the provider. This is because integrating it within your website via an API (Application Programming Interface) will introduce extra complexity that you may not be able to manage effectively. Using a fully hosted PCI DSS-compliant payment page will also substantially reduce your PCI DSS validation requirements. This will help to protect cardholder data from unauthorized access.
2. Don't have too many subdomains as this again introduces unnecessary extra complexity in your environment. Also, regularly review any offline sub-domains, because even if you don’t use them, they could be hijacked by criminals and used as phishing domains. Attacks leveraging these are designed to trick customers into handing over their financial details.
3. Don't share IP addresses between domains, especially on the subdomains that contain the payment page (e.g. shopping cart, payment gateway, etc.). Sharing of IP addresses is considered bad security practice and puts businesses at risk of cyber-attack, especially if the business is an e-commerce merchant.
4. Make sure your certificates are up-to-date, and use TLS (Transport Layer Security) version 1.1 or higher. Expired certificates make it easier for attackers to spoof your site in phishing campaigns and will lead to an error message which could deter customers from visiting your online store.
5. Make sure you review open ports. Exposing only port 443 is best practice, but port 80 would also be acceptable if any exposed services are consistently patched with the latest versions. For example, an outdated version of a Content Management System (e.g. WordPress) on port 80 would present a serious vulnerability as attackers are actively scanning for such security gaps.

In addition, ports commonly recognized as insecure would put the business at high risk of a cyber-attack if left open. This would be an immediate risk to data confidentiality and it is recommended to conduct at least a vulnerability scan or to contact your payment service provider or security staff. This type of vulnerability also violates the PCI DSS and will prevent you from achieving compliance.

Remember, security isn’t a case of set-and-forget. You’ll need to continually review your posture in line with the latest guidance. But by following the above, you’ll at least have a baseline of effective protection on which to build a thriving online business.