So you've gone through the long process of purchasing an e-commerce solution, setup your online catalog, price groups and categories, and uploaded your design and logo. Things are looking great, and you're ready to go live. Or are you?
It's still amazing how many e-commerce websites are created today without much thought or concern of securing the information they collect. How many sites have you visited recently that prompted you for credit card information on an unsecured page? Are you one of the vigilant types who refuses to order from such an online merchant? How many of your potential customers would take their business elsewhere if the roles were reversed?
Of course, all this boils down to end-user education. That bad part is, what you don't know CAN hurt you. Sites that allow credit card data, or other sensitive data for that matter, to pass unprotected to and from their servers may be contributing to the prevalence of credit card fraud and identity theft. Many consumers today are exercising their rights and suing online merchants for losses incurred from identity theft. Most credit card processing agreements pass the onus to the online merchant as well. Since website owners are legally liable for these damages, it makes good business sense to practice due care in this regard. So what can be done to mitigate these risks associated with Internet privacy?
The easiest, most cost-effective way is to secure your e-commerce pages through the use of a web server certificate, also referred to as a digital certificate. The certificate uses encryption technologies and secure web protocols (SSL/TLS and HTTPS) to establish a private connection between your web server and the end-user's browser. Information passing between the two after the secure connection is established is protected from prying eyes and malicious tampering.
You can verify if a page is protected with SSL/TLS by 1) examining the URL in the browser's address bar (should begin with HTTPS) AND 2) examining the secure icon in the lower portion of the browser window (a lock if using IE, or a key if using Netscape). For sites that use frames, you may need to check the page's properties (in IE, right-click and choose properties) to verify the page is protected with a certificate.
Many sites today are configured to POST their data to a page or third-party site from an unsecured page, usually the one that collects credit card details. However, this is one of the most common mistakes in website security. What really happens is that the sensitive information passes through the Internet in the clear, unencrypted and available for anyone to see. It's only AFTER the SSL connection is established that transmitted information is encrypted, not before. The important thing to remember is that to secure the data, you must protect both the page that collects and the page that receives the data with SSL.
Some may ask, "If I enter my credit card information on a web page and click Submit, isn't the information sent directly to the merchant? Isn't this as secure as faxing or phoning in my order?" The simple answer is no, because unlike communications over regular phone lines, Internet traffic travels through many devices (routers, firewalls, Intrusion Detection Systems, web servers, proxies, switches, etc.) before it reaches its destination. These devices are usually managed by ISPs, phone companies and service providers and are beyond the control of the end-user and website owner. There's simply no guarantee that someone else isn't intercepting, sniffing or logging the traffic.
Next time, we'll take a look at several web server certificate vendors and help you choose the right one for your site. In the meantime, remember that the integrity and confidentiality of the data you collect from your customers should not be an afterthought. If ignored or implemented improperly, it could cost you much more in the long run.
Shawn Asmus, CISSP, MCSD
Automation Services Company, Inc.
StoreFront Solution Provider
Use this form to email security related questions, comments, and inquiries: http://www.storefrontgoodies.com/StoreFrontSecurity/ContactFormASCMO-2.shtml
