Ok, so you finally got your e-commerce site up and running, but what about securing your site?
There are three main aspects that you need to protect:

  1. Your actual environment needs to be protected against any hacker or malware bytes that can destroy your site, as in your site won’t render or function properly.
  2. Your site’s data, often time hackers try to breach into your site so they can steal sensitive customer data, such as email and physical addresses, passwords and shopping habits.
  3. Your customer’s credit card, hackers will try to capture the data that your customers enter on your checkout page and get themselves a copy of your customer’s credit card number along with all the other data submitted on your checkout page.

Today, I’d like to focus on the third point, your checkout page.

Unfortunately, we have seen this happen more than once and at an alarming frequency, where hackers will inject no more than 10 lines of code, that basically tell the site “Hey! before you send the credit card data to the online merchant account gateway for processing, please send me a copy of that data first”.

If you want to see a code sample of how little is needed to grab this data, here you go:
hack-code
Because these intrusions are so minor, they are also very complicated to detect. The affected sites can have the best SSL and the most prominent security badges, but none of these security measures will sniff out a few lines of legit code that were added to your system.
I call these lines legit code, because sometimes hackers will encode their scripts so that you and I can’t read what is really being executed, but these are the types of scripts that trigger the security scanners on your site. In the above shown code however, there is nothing malicious per say about the code – it’s clean code, it’s just executing a function that you don’t want it to i.e. send your customer’s credit card data to a third party.

Don’t despair yet, because there are ways of detecting such changes, if you use a version control system or some type of daily site scan for changed files.

In the end though, there is a constant war going on between hackers and security firms, and while we would like to believe that the security firms have the edge, sometimes these hacks are so simplistic that it could take quite a while before any of these compromises are detected.

Of course, you should make sure that your environment is as hack-proof as possible, using strong passwords, restricting access to sensitive areas to white-listed IP addresses only  and staying up to date with the latest security updates for your specific environment, but let’s face it; you have an e-commerce to run and did not sign up to become an intrusion detector.

The alternate route you can take is to redirect all checkouts on your site through third party payment processors like PayPal, Google Wallet and Amazon payments to name a few.
third party payments

Now, I know most of you will raise an eyebrow and say “really? send shoppers away from our site?” – please relax.
Most of these third party payments will allow you to embed and process the payment inline – on your site, as far as the customer is concerned he never left your site – yet all the actual processing is being done on their site.
And if they don’t, before you freak out, why don’t you run a real analytic AB test campaign to measure the actual rate of checkout abandonment  when using your own checkout versus redirectcing the customers to a third party for checkout? You might be pleasantly surprised with the results.

This is not to say that these 3rd party checkouts are safe, however:

  1. They have a budget for security that’s a lot larger than yours or mine.
  2. If anything were to happen and their security is compromised, your customers won’t blame you, after all if they chose to checkout with PayPal for example it’s because they already have a PayPal account and they already laid their trust with PayPal.
  3. Most importantly though, if your site is ever hacked and you indirectly and unknowingly leaked your customer’s credit card, you can say goodbye to a lot of customers, good morning to a customer service nightmare and howdy to the team of lawyers from all the customers that have been waiting for their opportunity to sue someone – anyone.

Of course they are a lot of customization and personalisation that you would like to have on your checkout page and unless you’re using an inline method you will have to forego most of these, but I think that the peace of mind and tranquility might be well worth it – your call!

If you do decide to have customers checkout on your site, give us a call or email us and we’ll do a visual code review to make sure everything is as safe as it could be on your site.