Security from the Ground Up
e-Commerce security involves not only the elements of your website that handle the payment process, but the entire website set up and the server that it is on. That is, it’s more than getting your shopping cart set up properly with appropriate security measures. Every business person who uses a web host depends on the security of the web hosts data center, both the physical security and protection from damage by fire, water, theft, etc., as well as the security of data through regular back-ups, server maintenance, redundant data maintenance, etc.
If you run an ecommerce site and are accepting payments, your security should begin with your choice of web hosting. Shared hosting is less expensive, but it is less secure than virtual private server and dedicated server hosting. By being separated from other sites by a partition, your site and your business operations, as well as your customer data, are safer.
A firewall and anti-virus software are beginning points for site security. So is your hiring policy. When employees have access to sensitive data, their background and integrity become more important.
Security Through Secure Log-in Techniques
Both your control panel and your FTP can be more or less secure, depending on your log-in technique. With your control panel, you may be able to log-in directly using your domain name followed by /securecontrolpanel/, a more secure method than logging in through your web host. If you do not have a private SSL certificate, this may trigger a security warning that can safely be ignored. For your FTP, substitute SFTP for greater security with your uploads and downloads. While FTP sends data in plain text, SFTP encrypts the dataand the log-in, protecting your password from detection.
Security Through Passwords
Start with your control panel. Change the username you use for log-in, as well as your password the first time you sign on, as you work your way through the website set-up wizard, or now, if you didn’t know to do it then. This will help to make your website more secure.
Next, set up password protect directories to limit access to only those who need access and/or to keep search engine bots at bay. You can set up FTP users with different access to control who can see what.
In these and other cases, use strong passwords. even when you’re not forced to by web host or software requirements. This means that your passwords should have a minimum of six digits; not contain real words, not contain a readily recognizable order (like 123456 or abcdef); be a mix of lowercase and uppercase letters, numbers, and the symbols that the system will accept; and be memorable. It is advised by experts that you have distinct passwords for you web host log in, your control panel, your email, and your FTP access.
Security Through Permissions
Each file and folder—whether on your home computer or on your website—has permissions, the indications of who is allowed to do what to the data. Permissions are set for three distinct groups: you; others accessing the computer; and everyone else. There are three choices for the privileges that each group can be given: No Access; Read Only; or Read & Write. The default settings are not necessarily the most secure, so use these controls to help maintain security as you wish.
PCI Compliance
The data security standards (DSS) of the Payment Card Industry (PCI) are requirements for ecommerce merchants who maintain customer account data. This includes, but is not limited to, credit card data. In order to be in compliance with the PCI DSS, ecommerce owners must both build and maintain a network that is secure; protect their customer’s cardholder data; have an ongoing program in place to manage vulnerabilities in their operation, use strong measures to control access to sensitive data; conduct regular monitoring and testing of their networks; and have an information security policy.
PCI compliance is assessed either through an on-site check by qualified assessors or using a self-assessment tool, and it is important to determine which group your company falls into in order to conduct your compliance checks properly. More information can be found at the https://ww.pcisecuritystandards.org website.
Use an SSL Checker from the Company that Supplied Your SSL Certificate
It is possible for SSL Certificates to install improperly or have other issues that will lead to errors. Checking your SSL Certificate through the SSL checkerprovided by your Certification Authority (CA) is the most straightforward way to avoid being caught by installation errors, typos in the certificate registration, or other problems.
