Making Your ECommerce Site Secure


ECommerce sites are an obvious target for cyberattacks. Such sites store valuable customer data, such as credit card information and personal details. This data is attractive to hackers, making eCommerce stores vulnerable to attack. The size of the site does not make it less prone to attack, what matters is the security in place.

For eCommerce merchants that are hacked, it can destroy the business. Any compromise of data will leave a business vulnerable to desertion. Customers will not remain loyal to a business that does not protect their data, and they expect that businesses will do everything they can to secure their website. The VMWare Carbon Black 2020 Cybersecurity Outlook Report found that 77% of businesses surveyed had purchased new security products in 2019 and 69% had increased cybersecurity employees.

The pandemic forced more people online. Businesses moved their networking to clouds so employees could work from home, and they used insecure apps to host meetings. Many businesses, including some large brands, made themselves vulnerable to cyberattacks in 2020-2021 in a rush to move online. While some attacks, like Zoom meeting instructions, others were more serious, like malware attacks.

ECommerce operations need to constantly update security protocols. Staying ahead protects customer data and keeps merchants in business. ECommerce security, in a broad sense, simply refers to the protections taken to protect an online business. There are a number of protocols that can be put in place to protect customer data and website integrity. The following is a list of some of the basics of eCommerce protection.

Payment Card Industry Data Security Standard – PCI DSS

PCI DSS or PCI is an industry standard that ensures credit card information collected online is transmitted and stored in a secure manner.

Transport Layer Security (TLS), Secure Sockets Layer (SSL), and HTTPS authentication

SSL is used to authenticate and encrypt links between networked computers. An SSL certificate added to an eCommerce site allows movement between HTTP to HTTPS, which serves as a trust signal to customers that your site is secure.

International Organization for Standardization – ISO

ISO is an international standard-setting body that writes the production standards for products and services. Standard ISO/IEC 27001:2013 covers data security. If a business can prove on an assessment that they meet all the requirements of the standard, they are awarded the certification. It proves high-quality management systems, data security, risk-aversion strategies, and standardized business practices.

Personal Data

Personal data or personal information means any data that can be linked back to a specific individual. This includes names, birth dates, phone numbers and email addresses. Any data set that can identify an individual is considered personal data. This also includes data that has been scrubbed of registration numbers or other identifiers. The GDPR, a data privacy regulation in Europe, has become the leading data security standard.

Multi-factor authentication (MFA), 2-factor authentication (2FA), or 2-step verification (2SV)

MFA, 2FA, and 2SV are similar types of authentication protections that allow site access. In addition to entering a username and password, all three of these securities require at least one further method of identity verification of a user logging into a site.

  • 2SV requires the user to enter a one-time code, delivered via an email, text message, or phone call.
  • 2FA requires the user to acknowledge their login attempt through another device, such as opening a specific app on a mobile device while logging in from a laptop.
  • MFA is similar to 2FA but requires more than two factors of authentication.

Malware and ransomware

Malware, or “malicious software,” is software that hackers install on your system. Ransomware is a type of malware that locks the owner out of their system or prevents access to data until a ransom is paid. A malware or ransomware attack can present itself in the following ways:

  • New buttons or toolbars appear in your browser, or new icons show on your desktop.
  • Links take you to the wrong page destination.
  • Your emails keep bouncing.
  • You experience a near-constant barrage of ad pop-ups.
  • Your system is slow or repeatedly crashes, or your browser freezes frequently and becomes unresponsive.

Distributed Denial of Service (DDoS)

A DDoS attack refers to the disruption of server, service, or network traffic by overwhelming it with traffic. It creates a ‘traffic jam’ so that legitimate users cannot access the site. The attack essentials block customers from using your eCommerce.

Compliance and Security

ECommerce compliance and security provide eCommerce sites with two layers of protection. One is regulatory, with measures introduced by the government that set standards in the industry ad detur bad actors, and the other is security for websites that protect businesses and their customers from potential harm.

Depending on the region your business is registered, and where it operates, different regulations are applicable. Security is standard for all eCommerce sites, with tiers of protections that are essential through to those that are recommended.

Payment Card Industry Data Security Standard (PCI-DSS)

PCI-DSS compliance is required for any business that manages credit card transactions. The regulations are in place to help protect cardholders’ data, no matter the revenue or credit card transaction volume of the eCommerce. These data security standards are defined by the PCI Security Standards Council (PCI SSC) and enforced by credit card companies.

General Data Protection Regulation (GDPR)

GDPR is a European Union-wide law that ensures the protection of people going online in the European Economic Area (EEA), securing their personal data and privacy. The law applies to all websites that can be accessed in the EEA.

California Consumer Privacy Act (CCPA)

After the GDPR was enacted in Europe, California, USA, wrote and enacted its own data protection law. The CCPA has been in force for businesses working with or employing California residents since January 1, 2020. The law is dedicated to protecting the data and privacy of private citizens. It is the most comprehensive data protection law in the US.

ECommerce Site Security Threats

There are a huge number and large variety of cyber threats. Many of those threats are aimed directly at eCommerce sites, while others are nuisance attacks created to disrupt services. The threats aimed at eCommerce sites are designed to steal data and exploit business vulnerabilities. Much like walking into a store and shoplifting or stealing money from the till, in an armed robbery, there are different levels of threats and harm caused to a business and the people exposed to an attack.


Phishing refers to methods used by attackers to trick victims — typically via email, text, or phone — into providing private information like passwords, account numbers, personal ID numbers, and more.

These attacks are common, and many unsuspecting people share their personal data in phishing scams. Even answering a quiz on social media with personal details can be a scam. People need to be cautious online and remain diligent about sharing their personal information with only trusted and verified sources.

Malware and ransomware

When malware or ransomware infects a device, it can disable a system or lock a user out of important data or programs. Ransomware requires a business to make a payment to restore access and threatens to destroy data without a payment. The simple way to avoid falling victim to this type of attack requires regular backups of site data. Employees should be trained not to click on suspicious links. Staff should not install an unknown software. Simple training and awareness can help protect systems, networks and websites.

SQL injection

Insecure storage of data in a SQL database places your eCommerce at a higher risk of attack. If not properly validated, a malicious query injected into a packaged payload can give the attacker access to view and even manipulate any information in a database.

Cross-site scripting (XSS)

XSS involves inserting a piece of malicious code (often JavaScript) into a webpage. The code doesn’t affect the site, but it tracks site visitors, exposing them to malware and phishing attempts.


E-skimming is the stealing of credit card information and personal data from payment card processing pages on eCommerce sites. Attackers access the backend of your site using any hacking technique like phishing, brute force attack, XSS, or third-party compromise. Attackers can then capture the payment information your shoppers enter into the checkout page in real-time.

How to Improve Ecommerce Security

Data privacy has become a greater interest to internet users and governments. The GDPR has gained a reputation as the gold standard in data privacy protection, and it is expected more countries will introduce such protections as law. A greater understanding of the value of personal data is also encouraged by security experts, and putting a spotlight on social media platforms has helped to inform more people about the dangers of oversharing online.

Payment information continues to be the main target for hackers of eCommerce. Credit card information is gathered at the checkout of sites that do not have security checkpoints on the payment process, such as third-party payment processing and 2FA, or those sites that store data without encrypting it.

If your eCommerce is hacked and you lose customer data, it could destroy your brand reputation and even your business. Investing in the highest standards of online data security is essential to your success.

Use strong, unique passwords and store them

According to a 2020 report, 37% of credential theft breaches used stolen or weak credentials. Using strong and unique passwords makes it harder for hackers and could discourage them from bothering further with your site if it is more difficult to attack.

  • Strong passwords are at least eight characters and contain upper and lowercase letters, numbers, and symbols.
  • Passwords should be individualised — each user should have their own private username and password for login.
  • Using a password manager. This auto generates and stores your encrypted password, so you don’t have to remember a random combination.
  • Never use the same password for other login credentials as you use for your eCommerce site.
  • Never publicly share sensitive information like your date of birth, personal ID number, or any other info you may use as answers to security questions, like your mother’s maiden name or your first pet.
  • Do not use any form of the default admin name provided. Attackers write scripts that hack the administration log-in panel. If the login name and password are variations of ‘Admin, 1234’, it is easy for your system to be hacked.

Protect your devices

All your connected devices need to be secured with anti-virus software, firewalls, or other security measures. Each device connected to your network, including phones, tablets and printers, is an entry point to your system and needs to be secured. This includes any device your team uses, even personal devices if they have access to your platform from that device.

Understand social engineering attempts

Malware infections are usually the results of phishing traps. Educate your team to understand the ways in which hackers attempt to enter your system by gathering data.

  • Never provide any personal information unless you have verified the identity of the recipient.
  • Never click links in suspicious emails, as they may take you to a webpage that is made to look like a familiar login page but actually steals your data.
  • No legitimate organisation ever asks you to share your password.
  • Do not download any attachments that you do not trust or know the source.

To identify phishing attempts, look for:

  • Obvious spelling and grammatical mistakes in the subject line or body of an email.
  • Look closely at the domain of the email sender. They are often made to look like a familiar domain but are off by just one letter, such as – it has an extra ‘m’.
  • Checks URLs before you click. Again, the spelling could be off by one letter and by clicking on the link takes you to a data harvesting page.
  • Suspicious emails might ask you to transfer money or authorize a charge immediately, and sometimes in small amounts, but they are actually gathering your credit card information.

Authentication factors

Two-step verification, 2F authentication, or multi-factor authentication ensures secure access to your systems, especially for access to sensitive data like bank accounts. It takes a few minutes extra to log in, and it can be a hassle if you need to use an additional device to make verification, but it is worth the additional effort to protect your data.

Store only the customer data that you need

Data storage is a major issue for online businesses. Data privacy laws also mean that your business is responsible for managing customers’ data selections. Any data that is held by your business should be encrypted.

Customers’ critical data should also be separated from other information on your site by segmenting your network. Firewalls and regular audits help to maintain optimal levels of security, and updates of systems as prompted will also help protect data.

System Updates

Security is an ongoing process. Ethical hackers identify vulnerabilities, and software engineers write code to patch them. When you receive a notification that your system needs an update, it should be done to secure the site. However, if you built your eCommerce solution, your business is responsible for any fixes, updates, or vulnerability patches to your software. Maintaining updates also means less downtime for your store.

Switch to HTTPS

Secure HTTPS hosting, which requires an SSL certificate, helps secure your website. Google search also penalises websites without HTTP in organic search rankings, so the security also boosts your SEO. HTTPS sends a positive trust signal to your customers who know to look for a lock symbol on the search bar before making a purchase.

Back up your data

If your site is hacked or you lose access to your data, a backup to restore your system as fast as possible can save your business from serious downtime.

Review plugins and third-party integrations

Checking all the third-party solutions on your site should be done on a routine basis. Remove any integrations you are no longer using. You should limit the number of integrations to as few as possible to secure customer data in as close proximity to your jurisdiction as possible.

Holiday and Sales Season Security

Holidays and sales attract more traffic to eCommerce sites. Online shoppers tend to be busy, frazzled and distracted. People can become careless with their personal data, and hackers know this. It is an easy time to target online shoppers who are less well-versed in security and target eCommerce sites that haven’t taken care of their security measures.

A systems audit and check of security features should be conducted before a large event that would drive larger traffic than usual to your eCommerce. From admin levels to POS checks, your audit needs to be through.

According to a 2019 survey, 46% of customers are concerned about being the victim of fraud when shopping online during the holiday season. One of the most common scams is the chargeback scam. Attackers acquire credit card information with corresponding credentials and go on a spending spree. The retailer dispatches the order. The retailer then receives a chargeback in the future because the charge was flagged as fraud. The retailer is forced to refund the order and is unable to recover the goods. This type of fraud is also common in using loyalty programs and gift cards. There are fraud detection integrations that can detect fraudulent activity in real-time, saving your eCommerce from chargeback scams.

Preparing your sales and distribution teams to detect fraud is one of the last lines of defence. Your team should be capable of detecting fraudulent activity if it is flagged in your system and know what to do to prevent the activity.


ECommerce security is an evolving system. As a business owner, you must remain vigilant about security and updating systems, learn about new threats and work with cybersecurity experts to mitigate or prevent damage.

Practising good password hygiene, being mindful about clicking links and downloading attachments from email, regularly reviewing your third-party integrations and securing your networked devices are all intentional ways to protect your business.

Data protection is essential. Not only are shoppers trusting that your online business is secure and capable, but they also trust you with their data, which can be hacked at any time and used by nefarious actors. Knowing the standards in your industry and complying with the regulations of your jurisdiction is not only a legal requirement, it is a business obligation that protects your brand reputation.

Share this post