ASAP Lab blog and case studies

Smart Ways to Secure eCommerce Site: 5 Tips for Entrepreneurs

Users always want more features, faster changes and confidence in the security of their data. This requires your online services to be reliable, but developers do not have enough time to thoughtfully check every line of code. If you do not build security into the process, then problems will come quickly. In the eCommerce industry, most online entrepreneurs start their business based on free or paid CMS. Supplemented with numerous modifications, integrations and 3rd-party plugins, your software might become sensitive to cyber threats. A single exploited vulnerability or a phishing-enabled breach could give cybercriminals everything in one swoop. Today let's talk about five security rules for CMS and eCommerce platforms.

Gather Reasonable Amount of Customer Information


Usually, to place an order in an online store, you need to create an account: enter your last and first name, date of birth, mobile phone number, email address, etc. Such a set of personal information unambiguously classifies the record as personal data, which means that the online store becomes their operator. Be careful what sensitive data you collect and where (and how) you store that data. If you cause the leakage (knock on wood) of customer credit card numbers or medical information, get prepared for the market impact, civil lawsuit penalties, and adverse publicity. Plus significant GDPR fines, depending on the type of stolen information.

Make sure your payment process complies with PCI DSS Standard. The Payment Card Industry Data Security Standard is an international standard that provides a baseline for the technical and operational requirements for protecting payment data. We highly recommend using a service that specializes in payment transactions. These services will be certified according to PCI DSS requirements and you can focus on your core competencies.

Read more: PCI DSS v4.0 announced. Insights for eCommerce business


Regularly Monitor Lists of Zero-Day Threats and Other Vulnerabilities


Is anyone in your company responsible for checking lists of zero-day threats and other vulnerabilities? If yes, hats off. No? We recommend that you start doing it immediately. You can start with the one published by organizations like the Cybersecurity & Infrastructure Security Agency. Zero-Day is a term denoting unpatched vulnerabilities, as well as malware against which protection mechanisms have not yet been developed: the vulnerability or attack becomes publicly known until the software manufacturer releases fixes for the error (Wikipedia). Be informed and stay on a safe side.

Read more: Cybersecurity: Top 5 Common Myths and Misconceptions


Use Penetration Testing Tools and Services


No matter whether your software is out-of-the-box, developed by in-house programmers or by an outsourced agency, the only way to learn the level of your website security is testing. Test, test and test again. For projects with numerous modifications, integrations and 3rd party add-ons, we recommend making regular enhanced security audits. A mistake or oversight in any of the updates can potentially lead to a disclosure of sensitive and critical project data, or even compromise it.

Penetration testing is part of a comprehensive information security audit. During the pen testing IT experts analyze most of the organizational and technical measures to ensure information security. Things to be checked: security settings, vulnerabilities in hardware and software, employees' reactions to traditional tricks, including targeted phishing, etc. Together, these checks allow you to identify weaknesses in the your current information security system.

Read more: How Penetration Testing Revealed an SQL injection on default VIVAshop add-on


Check Your Suppliers for Secure Coding Practices


If you are using cloud services make a thorough examination of any supplier. Check if they comply with industry best practices, have international certificates and meet security standards (such as ISO 27001 security protocol). Check company security policy and their statements about encryption and auditing.

International certification guarantees that your supplier implements regular code reviews, strict access control, anomaly detection and rigorous security testing. Be careful when choosing a Content Management System serving as the brains of your website and a Managed Hosting Provider (MSP) as the driving force of your eCommerce project.

Read more: 6 Tips to Choose an MSP for eCommerce


Log Everything and Analyze Logs for Anomalies and Attack Patterns


The first thing you must do when launching a website is setting up a logging policy. Logs are indispensable when unknown errors occur in the operation of a server or software. In simple words, logs are the text files with information about the actions of software or users, kind of chronology of events and their sources, errors and reasons why they happened.

Every transaction, update and backup, every login to the CMS or eCommerce platform and entering a bad password must be logged. Use machine-learning tools to monitor events and logs and make sure someone is responsible for receiving, reading, and following up on log reports.

Read more: How to Monitor IT Infrastructure for Maximum Uptime



Follow these five security rules, and enjoy a more secure and trustworthy eCommerce project. Are these steps reasonable? Yes. Are they easy? Evidently no! When it comes to eCommerce site security, you've got a lot to think about. Unless you're a huge business with a dedicated team to keep a watchful eye. We in ASAP Lab will take care of your website to mitigate security risks. Start with a Security Audit to check the current status of your security.

Discuss security issues!