by Graeme Caldwell
Over the last couple of years, consumer confidence has been damaged by repeated data leaks from ecommerce stores. Every online retailer is aware of Magecart and the damage it has done. Companies like Adidas, Sears, and Macy’s have also suffered data leaks. The problem is even more acute for smaller retailers, since the majority of data breaches occur within small businesses. The causes of data theft are diverse, but a few precautions can reduce the likelihood of your customer’s data finding its way into the wild.
If You Don’t Need It, Don’t Store It
The best way to keep customer data safe is to avoid storing it in the first place. Criminals can’t exfiltrate data you don’t have. Retailers have the opportunity to store vast amounts of data from many different sources. The temptation may be to keep everything just in case it’s useful, but data that is stored without purpose is a liability. If there is no clearly defined use-case for storing data, delete it.
For this guidance to be actionable, a retailer has to know what data it stores and what it contains. Storage is cheap, data is plentiful, and most of it is unstructured, so many retailers are unaware of what they are storing. This is a dangerous situation to be in. Dark data can cause regulatory and privacy headaches. Make sure you know what you’re storing and if you don’t need it, hit delete.
Outsource Credit Card Processing to a Third Party
Smaller eCommerce retailers should treat credit card data as if it were toxic. Payment providers invest a huge amount of time and expertise in building secure platforms for the storage of credit card data. Most small and medium retailers can’t replicate that level of security, so they shouldn’t store credit card numbers. It is often convenient to store them, but it is inconvenient to have them stolen and your business destroyed by fines and reputation damage. Don’t store credit card numbers on your servers unless you have to.
Understand The Code Running On Your Site
Most victims of Magecart weren’t compromised because of security vulnerabilities on their site or network, but because they installed third-party software that had been infected with malware. Supply chain attacks have become widespread in recent years.
Every ecommerce store uses third-party libraries, plugins, and scripts. That’s what makes the servers hosting that software a tempting target for criminals. If they can compromise a server hosting software that is trusted by hundreds of sites, they can disperse their malware far and wide with minimal effort. Be vigilant of the code that you trust. Monitor vulnerability tracking services for information about problems with third-party code your site runs.
Keep Your Store Up-To-Date
Updates fix software vulnerabilities, so if your store isn’t updated, it is almost certainly vulnerable. Software vulnerabilities are used to gain access to server and store application user accounts, to run codes on the server or the store’s database, and to exfiltrate sensitive data. Failing to keep the server operating system, utilities, the store, and its dependencies up-to-date is a security blunder that will lead to the theft of sensitive information.
In summary:
- Only store the data your business needs.
- Understand what the data stored on the business’s infrastructure represents.
- If possible, don’t store credit card data.
- Monitor third-party software for vulnerabilities.
- Update.
If you implement these straightforward security and privacy rules, your customer’s data will be safe from all but the most sophisticated and determined attackers.
About Graeme Caldwell
Graeme is a writer and content marketer at Nexcess, a global provider of hosting services, who has a knack for making tech-heavy topics interesting and engaging to all readers. His articles have been featured in top publications across the net, to TechCrunch.