SUBMISSION-2

Internet and Web Optimisation

(Semester – I)

Develop a Security plan for your own E-commerce website

NAME – Manisha Gupta

REGISTRATION NUMBER – 202104939

PGCM (DM)-2021

1|Page
 SYMBIOSIS CENTRE FOR DISTANCE LEARNING (SCDL)

Introduction:-
Ecommerce sites will always be a hot target for cyberattacks. For would-be thieves, they are
treasure troves of personal and financial data. And for businesses of all sizes, the cost of a
breach both in loss of data and in customer trust can be hugely damaging for businesses of all
sizes. 

Ecommerce business owners are all too aware of these issues and are increasing their security
measures. The VMWare Carbon Black 2020 Cybersecurity Outlook Report found that 77% of
businesses surveyed had purchased new security products in the last year and 69% had
increased security staff. 

In this constant game of cat and mouse, as online retailers add increasingly innovative
technologies to their sites to stay competitive, cyber attackers are equally honing their skills and
finding new vulnerabilities to exploit. The best way to stay ahead is to be aware of ecommerce
security best practices and the types of attacks to be on the look out for.

Ecommerce Security

2|Page
The frequency and sophistication of cyber attacks has skyrocketed in recent years. Ecommerce
security refers to the measures taken to protect your business and your customers against cyber
threats. Let’s look at some terminology and common acronyms you should know:

1. Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS (often referred to as just “PCI”) is an industry standard that ensures credit card
information collected online is being transmitted and stored in a secure manner.

2. International Organization for Standardization (ISO).

ISO is an international standard-setting body that creates requirements that guide businesses in
making sure their products and processes are fit for purpose. One of their standards, ISO/IEC
27001:2013, covers data security. Achieving this certification means a business has high-quality
management systems, data security, risk-aversion strategies, and standardized business
practices.

3. Personal Data.

Personal data or personal information refers to any data that can be linked back to a specific
individual — most simply, this includes names, email addresses, and phone numbers. But it can
get a little bit more complex as well. Any data set — even scrubbed of specific names or
numbers — that can identify a particular person is considered personal data. Protecting personal
data is particularly important when it comes to data privacy regulations like GDPR (more on
that later). 

4. Transport Layer Security (TLS), Secure Sockets Layer (SSL), and HTTPS
authentication.

Utilizing SSL helps to authenticate and encrypt links between networked computers. Once you
have an SSL certificate for your ecommerce site, you can move from HTTP to HTTPS, which
serves as a trust signal to customers that your site is secure.

3|Page
5. Multi-factor authentication (MFA), 2-factor authentication (2FA), or 2-
step verification (2SV).

MFA, 2FA, and 2SV are sometimes used interchangeably — and they are similar — but there
are differences among them. In addition to entering a username and password, all three of these
methods require at least one further method of identity verification of a user logging in to a site
— like your ecommerce store.

Here’s a high-level explanation of the differences:

 2SV may require the user to enter a one-time code, delivered via an email, text message,
or phone call.
 2FA goes a step further and may require the user to acknowledge their login attempt
through another device, like opening a specific app on a mobile device while logging in
from a laptop.
 MFA is similar to 2FA but can refer to the implementation of more than two factors of
authentication.

6. Distributed Denial of Service (DDoS).

A DDoS attack refers to a disruption of server, service, or network traffic by overwhelming it

with a flood of traffic. This resource on Cloudflare, which offers more detailed information
on DDoS attacks, compares it to a traffic jam. Imagine trying to pull out into a major roadway
(those are your customers and legitimate traffic) during rush hour — all those cars are the
compromised traffic, blocking customers out of your store.

7. Malware and ransomware.

Malware, or “malicious software,” is software that attackers install on your system.

Ransomware is a type of malware that locks the victim out of their system, or prevents access to
data, until a ransom is paid to the attacker. Here are a few symptoms you may experience if
your system becomes infected:

4|Page
  Links take you to the wrong page destination.
 New toolbars or buttons appear in your browser, or new icons show up on your desktop.
 You experience a near-constant barrage of ad pop-ups.
 Your system is slow or repeatedly crashes, or your browser freezes frequently and
becomes unresponsive.
 Your emails keep bouncing.

Compliance, and How is it Different From Security

The concepts of compliance and cybersecurity are often used interchangeably — and in some
ways, they are related. But there are some important differences.

Compliance refers to the ability to meet a specific set of standards set out by governments or
private institutions, and there can be legal repercussions for not complying. But meeting
those compliance standards does not necessarily mean your ecommerce site is fully secure.

5|Page
(Note that there are many compliance standards that your business may be required to meet. We
are only discussing several of the major, cybersecurity-related regulations.)

1. Payment Card Industry Data Security Standard (PCI-DSS).

Any business that manages credit card transactions must comply with the PCI-DSS
requirements around the protection of cardholder data, no matter their revenue or credit card
transaction volumes. These data security standards are defined by the PCI Security Standards
Council (PCI SSC) and enforced by credit card companies.

2. General Data Protection Regulation (GDPR).

GDPR is a relatively recent law enacted in the European Union to ensure the protection of
European Economic Area (EEA) citizens’ personal data and privacy. And it doesn’t just apply
to businesses in the EU. If you sell products internationally to any of these citizens, you will
need to comply with GDPR as you handle any of their data.

3. California Consumer Privacy Act (CCPA).

After GDPR was implemented in the EU, the state of California began to move toward
implementing its own data protection law. The deadline for businesses working with or
employing California residents to comply with CCPA is January 1, 2020. The spirit of CCPA is
similar to GDPR in that it is dedicated to protecting the data and privacy of private citizens, but
there are a few important differences. While this is the most recent and farthest-reaching data
protection standard in the U.S., at least 15 other states have some type of personal privacy or
data protection standards.

6|Page
The Biggest Security Threats to Your Ecommerce Site

The types and methods of cyber attack are broad and varied, and it would be almost impossible
to delve into them all in one blog post. But there are some that rise to the top as the most
important to know about for strong ecommerce security.

1. Phishing.

Phishing is a type of social engineering, and refers to methods used by attackers to trick victims
— typically via email, text, or phone — into providing private information like passwords,
account numbers, social security numbers, and more.

BigCommerce Note: BigCommerce will never send you an email with a link to update your
store or your login credentials. If you receive an email, phone call, or text from
7|Page
“BigCommerce” in which personal information is requested, contact customer support directly
for validation.

2. Malware and ransomware.

When your device or network becomes infected with malware or ransomware — a type of
malware — you may be locked out of all your important data and systems. Downtime is
expensive, but regular backups of your site data can help keep this from being a devastating
blow to your business. And by not clicking on suspicious links or installing unknown software
on a computer, you can be better protected against attacks.

3. SQL injection.

You may be at risk if your ecommerce site insecurely stores data in a SQL database. If not
properly validated, a malicious query injected into a packaged payload can give the attacker
access to view and even manipulate any information in a database.

4. Cross-site scripting (XSS).

XSS involves inserting a piece of malicious code (typically JavaScript) into a webpage. Unlike
some other kinds of attacks, this one doesn’t impact the site itself, but it would impact the users
of that page — i.e., your shoppers — exposing them to malware, phishing attempts, and more.

5. E-skimming.

E-skimming refers to a method of stealing credit card information and personal data from
payment card processing pages on ecommerce sites. Attackers gain access to your site either via
a successful phishing attempt, brute force attack, XSS, or third-party compromise, then capture
in real time the payment information your shoppers enter into the checkout page.

8|Page
 Best Practices for Ecommerce Security

The compliance standards mentioned above aren’t going away. In fact, trends in privacy
concerns indicate that we should expect more regulations in the future as people of all ages are
increasingly concerned with where their data is going.

Source: Statista

9|Page
This Data Breach Investigations Report dives deeper into trends in retail cyber attacks. Payment
information is shown to be the prominent target, and ecommerce attacks continue to rise as
point-of-sale breaches and card skimmers are, overall, declining.

If a security breach of your ecommerce site leads to a loss of customer data, the associated fines
— and hit to your brand reputation — could be devastating.

1. Implement strong, unique passwords — and help make sure your

customers do, too.

According to the 2020 Verizon Data Breach Investigations Report, 37% of credential theft
breaches used stolen or weak credentials. It’s worth the extra effort to make sure you, your
employees, and your customers implement good practices for strong passwords:

 Strong passwords are at least eight characters and contain upper and lowercase letters,
numbers, and symbols.
 Passwords should never be shared — each user should have his or her own unique,
private username and password for login.
 Never use the same password for other login credentials as you use for your ecommerce
site.
 Consider using a password manager.
 Never publicly share sensitive information like your date of birth, social security
number, or any other info you may use as answers to security questions.

“Do not use any form of the default admin name provided. Attackers write scripts that run day
and night trying over and over to log in to the admin panel, if you’ve used anything similar to
“admin”, they are more likely to crack it.” -Jason Simmons, CEO, Dead Soxy

10 | P a g e
2. Protect your devices.

Whether you’ve got one computer in a home office or a headquarters with a full networked
computer system, make sure your connected devices are cyber secure with anti-virus software,
firewalls, or another appropriate method of protecting against threats.

3. Steel against social engineering attempts.

One of the best ways to avoid malware infections is to avoid falling into the phishing traps.
Never provide any level of personal information unless you have verified the identity of the
recipient. Additionally, no legitimate organization will ever ask you to share your password.

Never click links in suspicious emails, as they may take you to a webpage that is made to look
like a familiar login page but serves instead to steal your information. And do not download any
attachments that you were not already expecting.

There are a few ways to distinguish phishing attempts from legitimate emails; here’s what to
look for:

 Obvious spelling and grammatical mistakes in the subject line or body of an email could
indicate a suspicious sender.
 Look closely at the domain of the email sender. They are often made to look like a
familiar domain but are off by just one letter (e.g., BigCommerce.com could become
BgCommerce.com).
 The same goes for any URLs you might click. At first glance, they may appear
legitimate, but the spelling could be off by one letter in the hopes you don’t notice and
click anyway to a dangerous domain.
 Suspicious emails may ask you to do something like transfer money or authorize a
charge, and offer an excuse for why it must be done immediately.

11 | P a g e
4. Implement additional authentication factors.

It may feel like a burden at times, but using 2-step verification, 2-factor authentication, or
multi-factor authentication gives you further assurance that you and your authorized users are
the only people logging into your store. Considering the potential consequences of a breach, it’s
worth it.

5. Only store the customer data that you need.

When it comes to storing data, the bottom line is to never hold on to more than you need to
optimally conduct your business. But in deciding what exactly that means for you, there are a
lot of factors to consider.

Particularly with the growing number of data privacy regulations, it’s important to carefully
establish your own business’ philosophy to balance customer experience, business convenience,
and security.

“Always keep your customers’ critical data separate from other information by segmenting your
network. Deploy firewalls and conduct audits to ensure that all of your security measures are
functioning the way they are supposed to.” -Shane Barker, ShaneBarker.com

6. Make sure your site is always up to date.

Security is a continuous cat-and-mouse game. Attackers identify vulnerabilities; software

engineers patch them. If you are using a SaaS ecommerce platform like BigCommerce, updates
to your software are taken care of automatically. But with on-premises ecommerce solutions,
your business is responsible for implementing any updates, bug fixes, or vulnerability patches
to the software that powers your store.

“With our previous ecommerce platform, there were ongoing security updates that we had to
manually install which would always “break” something else. We had to create a secondary
sandbox site to test security updates prior to uploading to our live site. As you can imagine, this
was not ideal.” -Billy Thompson, President, Thompson Tee
12 | P a g e
7. Switch to HTTPS.

Secure HTTPS hosting, which requires an SSL certificate, will help secure your website. It’s
also a boon for your marketing department because Google penalizes websites with HTTP in
organic search rankings. HTTPS sends a positive trust signal to your shoppers — particularly
the digitally savvy.

8. Back up your data.

If you are breached and lose access to your data, you are going to want a backup to help you get
your business back up and running as quickly as possible.

9. Regularly review all plugins and third-party integrations.

Take an inventory of all the third-party solutions you’re running within your store. Make sure
that you know what they are and assess your continued level of trust in that third party. If
you’re no longer using them, remove that integration from your store. The idea is to allow the
fewest number of parties to have access to your customers’ data, while still driving your
business forward.

Double Down on Security During the Holiday Season

13 | P a g e
The holiday season is, unfortunately, a time you can expect higher volumes of attempted fraud
and cyber crime. Everyone is really busy, and there are huge spikes in traffic on ecommerce
sites, making anomalous behavior more difficult to protect. Attackers know this — and see it as
an opportunity.

Here are some things you can do to ensure website security through the holidays:

1. Do a pre-holiday security check.

“The holiday season is the time when a good majority of ecommerce cyber-attacks take place,
taking advantage of the holiday rush. Retailers should prepare for this in advance and conduct a
thorough security check before the holiday season starts. This should include checking for
malware in point-of-sale systems and improving the security of web servers.” -Shane
Barker, ShaneBarker.com

Your holiday security audit should also include an examination of who has access to what:

14 | P a g e
“Make sure to review admin-level accounts and privileges for your store, marketing software,
and other tools. Disable or delete unused accounts. Update permissions to reflect the actual
workflows for particular users.” -Jordan Brannon, President, Coalition Technologies

2. Increase your fraud protection.

A steep spike in shoppers is often accompanied by an increase in fraudulent activity. According

to the TransUnion Holiday Retail Fraud Survey from 2019, 46% of customers are concerned
about being the victim of fraud when shopping this holiday season. 

“Another form of cyber risk and one of the biggest risks to ecommerce brands today is the
chargeback scam. Attackers acquire credit card information along with credentials and go on a
spending spree. The retailer gets an order and ships it not thinking twice about it. Only to
receive a chargeback at some point in the future because the charge was marked as fraud. The
retailer can’t argue and is forced to refund the order and the goods are long gone. This is even
compounded more with loyalty programs and gift cards.

This type of cyber fraud is very hard to prevent. After losing 1000s in merchandise we started
using the Eye4fraud.com app for BigCommerce. The app tells us in real time if each order
should be shipped or not and offers a guarantee for any chargeback.” -Jason Simmons,
CEO, Dead Soxy

3. Prepare your customer service team.

Make sure you and your team are prepared for common threats — including having a clear
process for verifying the identity of customers who request any changes to their orders or
accounts.

4. Have a security update plan.

It’s good advice to get your store pretty much locked down for the holidays and not make too
many changes to it, just to avoid the extra risk that that can entail. But that general guideline
does not apply when it comes to security, and patching your site for any vulnerabilities. This is
15 | P a g e
mostly applicable if you have an on-premise ecommerce solution (BigCommerce merchants can
breathe easy!). You need to have a tried and true plan for site updates if they become necessary
to ensure the security of your business and your shoppers.

How BigCommerce Helps Secure Your Business

Each and every part of the BigCommerce platform is built with security in mind. Our multi-
tenant SaaS ecommerce platform helps to lower your total cost of ownership; your organization
is not responsible for maintaining servers, installing updates or patching the servers when
security vulnerabilities are discovered.

1. The benefits of SaaS.

Best-in-class SaaS applications like BigCommerce provide robust layers of security as well as
the rigorous fraud prevention, information security standards, and compliance frameworks. And
updates and security patching are handled by the SaaS provider, taking some of the burden off
of its users.

With a move to Google Cloud Platform, BigCommerce’s security benefits have only increased,
providing merchants with additional security measures including best-in-class protection
against DDoS attacks.

In addition, BigCommerce maintains PCI compliance on behalf of merchants and is ISO 27001-
certified by the international standard outlining best practices for information security
management systems.

“PCI requirements, complexity, and cost are increasing constantly. Mitigating this virtually
requires a shift to SaaS.” -Jason Greenwood, Director, Solutions & Delivery, Moustache
Republic

16 | P a g e
2. Security and privacy by design.

BigCommerce takes both security and privacy very seriously, baking both into the way we
build our products and interface with customers. We go a step further and put boundaries
around how we interact with a merchant’s data.

Our merchants’ data and customers belong to them and only them. To keep your customers’
payment information as secure as possible, sensitive payment data is encrypted in transit and
does not come to rest on BigCommerce’s infrastructure.

Conclusion

Developing good ecommerce security is vitally important to the success of your business. You
can’t afford to lose your customers’ trust by exposing their personal data. By using a SaaS
platform, you get the benefits of spending more time growing your business — and less time
worrying about security monitoring and maintenance.

But that doesn’t mean there’s nothing for you to do. Practicing good password hygiene, staying
mindful about clicking links and downloading attachments from your email, and regularly
reviewing your third-party integrations are particularly important, even for merchants on our
secure SaaS platform.

By following the tips in this post and staying aware of what’s happening in the cybersecurity
landscape, you can provide your customers with a shopping experience they can trust.

Read more about security in SaaS with this technical deep dive.

17 | P a g e