Back-end store security: It's the most important, yet the oft-overlooked parameter of running an online business. Without securing customer data, you have no claim to running a legitimate business.
I often hear excuses of ignorance, which makes me wonder how many online store owners take the time to read the latest ecommerce news and even merchant account information that comes in the mail? But it doesn't matter. You'll learn now, and you'll commit-right now-to taking the steps to make it right.
I've my own gripes and rants about the lack of attention to security, and they're vast. So I've picked a few key points and will preface with this fact: Nearly 80 percent of the online stores, upon my first entry, compromise customer information and sensitive sales information. Most heed to the warnings, but I have had to outright refuse to work on stores that ignored recommendations and continued to violate either legal or moral issues when it comes to security. Forget about what a customer might "feel like" if his/her card number was made public due to a hack, think about the legal ramifications. I assure you, there are so many you likely could not afford them.
You should never have to store credit card numbers. I don't care about Amazon and the other guys who allow customers to store this info-they have much more invested and lawyers on retainer to handle these types of things. Every online store should be using a payment processing gateway. Some of you, to save money, like to take the numbers and run them in the same terminal you use to swipe cards in the brick-and-mortar. The difference is, a swiped card should never leave the customer's sight. Card numbers entered online are a totally different story.
Last month, for the third time, I had to update an American Express number for a client on monthly billing. Three times in four months his card number (one time only a week old) was being circulated after he used it to order goods online. Since I doubt he's ordering from "questionable" businesses, I can comfortably attribute his horrible experience to lax of security.
Since payment gateways tie transactions to an actual transaction ID, there's no need for merchants to know the card number at all when capturing, voiding or submitting credits.
Customer data should be held in the same secure manner. Unfortunately, so many smaller businesses grant employees and contractors full access to backend systems that even when an issue does occur, they're left with nothing but wonder as to who did what. That's why separate, unique logins and passwords, as well as restrictive access, is so necessary. There's good money in providing lists, however acquired, of customer names, email addresses and mailing addresses, especially if they're accompanied by a list of product purchase histories.
Firewalls, SSL encryption, frequent system scans for spyware and viruses, and so on...Use them, keep them updated and instill good practice. One insecure link makes the entire process insecure, leaving you and your company vulnerable. If the legal fees aren't enough to shut you down, the news stories that follow most certainly will.
Aside from ignorance, the most compelling argument to worry about certain security issues is money. Payment gateways cost money and so does software and SSL certificates. Consider all these an investment, however. An investment in the money you'll be able to bank because you won't be slapped with hefty fines. I can think of much better ways to make the seven o'clock news.
by Pamela Hazelton