October 18th, 2005 by Jamie Estep
How secure is a website?
Filed in: Ecommerce |
Having a secure website is one of the most important aspects of owning an ecommerce website. A secure website allows your customers to enter and transmit their information over the internet securely. The misconception that most people have, is that a secure (SSL) connection is all that is needed to secure a website.
The problem with securing a website, is that there are several aspects that need to be secure for the website to truly be secure. Unfortunately the aspect that is easiest to secure is by far the least vulnerable to loosing sensitive information.
A SSL (Secure Socket Layer) is a system that provides encryption between a users computer and a website. When people refer to website security, this is normally the idea that comes to mind. You can easily tell that a website is using SSL, because of the padlock that appears in the lower right corner of a web browser when SSL is being used. But, when you see a padlock, how do you really know that your information is secure? This padlock ensures that the information you submit to this website is safe, but what happens to your information after it reaches the website?
Security is only skin deep:
The only knowledge that you have of a website’s security is that little padlock. After you submit your information, there are a number of things that the website could do with your information that step outside the security barrier. Your information could be emailed, stored in a database, sent to another system for processing, and plenty of other unsecured acts. There is no way to know if the same security that was applied to you, is being used to further transmit the data. To complicate the problem more, many website owners don’t realize exactly what SSL is and what it doesn’t do.
Merchant guidelines:
- Don’t store sensitive information online!
- Ensure all data transfer is secure!
- For stored information offline, ensure it is secure!
Storing Information Online:
Storing customer information is a common but dangerous practice that many businesses use carelessly. The most common data storage method is using an online database application such as mysql. Many businesses don’t even encrypt data that is stored in their database. Online database applications have a major drawback in that they are accessible from anywhere in the world. The other problem with online applications is that they are only as secure as the platform they are hosted on, and the programs that use them. Storing customer information online should be kept at a minimum, and storing credit card information, social security numbers, or other secure information should not be done. Unless you have extensive technical expertise in securing online databases, and providing secure data encryption, don’t store sensitive information online.
Transferring Secure Data:
Depending on what company you use for your payment gateway, you may or may not have to transfer secure information. If you host the entire shopping process, including the payment and checkout forms on your site, then you will have to transfer secure information. If your checkout page is hosted on another website, then you are not directly responsible for ensuring a secure connection. For those who do need to transfer secure information and receive a secure order response, you must ensure that the entire process remains secure. Refer to the documentation provided by your payment gateway on maintaining a secure connection. If you are unable to maintain a secure connection, or don’t now what I’m talking about, hire a professional to setup the system for you.
A completely secure process means that at no point is any data not transfered over a SSL connection. User to Website, Website to Payment Gateway, Payment Gateway back to Website, and Website Back to User on approval or decline. Every step must be secure!
Storing Sensitive Information:
First Off, Don’t do it online. If you have to store sensitive information, do it on a computer that is not directly connected to the internet, and has limited access protected by a password. As a merchant, you do have the right to keep on file your customers information including their credit card numbers, but you are directly accountable for any data loss resulting from yours or your employee’s actions. Bad employees are one of the leading causes of stolen credit card information in the world.
Don’t become the target of another data-loss news headline.
Payment Gateway Integration Resources:
http://www.authnetscripts.com/