E-Commerce CybersecurityCyber security is critical to e-commerce and required for privacy regulation and the Payment Card Industry - Data Security Standard (PCI-DSS). Attackers constantly probe websites to detect vulnerabilities. Be prepared to deter their every move.
Fraud PreventionInsufficient preparation can lead to fraud attacks coming in fast and furious. The best practice is to establish a risk management procedure, train staff on how it works, and keep seeking out enhancements.
Stolen Credit CardsStolen credit card numbers are big business. Attackers in countries with virtual legal immunity go through card lists in bulk. The best defenses include:
- Enable 3DS on the website. That transfers liability for stolen cards from the merchant to the bank. Merchants tend to use it as a risk indicator because corporate and prepaid cards and some foreign banks do not support it.
- Geolocate the IP address. Out-of-country IP addresses are a strong risk indicator. Out-of-state may be an issue for some businesses too.
- Reject too many card numbers from a single IP address.
- Reject transactions with an invalid CVV code. Those are the three or 4-digit codes on the card.
- Check for multiple purchases from the same card. Low dollar value purchases may be test transactions.
- Check the Business Identification Numbers (BIN) for the card. Those are the first six digits of the number. Check if the card is from your country.
Money LaunderingMoney laundering rinses money through online purchases. Steps to avoid money laundering are:
- Only refund money to a credit card number that made the payment.
- Avoid high dollar value purchases. Card taps over $250 (varies depending on the country) lose liability transfer.
- Reject credit cards from foreign countries.
- Reject less well-known and less secure card brands.
- Reject chipless swipe cards or fallback to swipe.
ChargebacksA chargeback is when the client bank forces a reverse payment. They come with a fine and cause the termination of banking services if they represent 1% of transactions. Steps to reduce chargebacks include:
- Delay billing the customer until after shipping the item.
- State the conditions for return on the receipt.
- Put a name recognizable to the client onto their credit card statement.
- Retain records for prior chargebacks to identify potential repeats.
- Sign up with Ethoca and Verifi to get notified of pending cases.
- Confirm online purchases with an email or text message.
- Suppress double payments.
Shipping FraudShipping fraud is when the customer claims they did not receive the product or claims there was damage when there was not. There are several ways to protect yourself:
- Retain the shipping tracking number with the order.
- Use the Address Validation Service (AVS) provided by the credit card company.
- Pack products to prevent damage in shipment.
- Avoid shipments to postal boxes.
Return FraudA fraudulent return is getting products back that do not fit within the terms and conditions. Preventative measures include:
- Ensure the serial number on the product sent matches the returned item.
- Verify defects against the customer claim.
- Test if the working product still works.
- Analyze the data collected from transactions for suspicious activity.
- Blacklist shipping addresses with too many returns.
- Validate ship to addresses with a 3rd party service.
Web Browser SecurityThe server has to enable many security settings in the web browser explicitly. By default, most are off. The following chart shows how many websites allow these settings. Further down are descriptions for each one.
Cross-Site Scripting (XSS)XSS is when the browser shares data between multiple websites. This security setting is built into the browser by default, and the best practice is to leave it on. An alternate name for XSS is Cross-Origin Resource Sharing (CORS).
Content Security Policy (CSP)The CSP defines what file types the browser can download and from which sites. The best practice is only allow required content from a single domain. Getting content from others sites brings them into PCI scope, but setting the CSP is not a PCI requirement. It is a superset of the protections offered by XSS.
Inline Frames (iframe)An inline frame is a web page inside a webpage. The most common use is a hosted payment page. The browser separates them with an application firewall. That makes integration awkward. So hosted payment pages can present challenges with workflow design, data analytics, response times, and graphical presentation.
HTTP Strict Transport Security (HSTS)HSTS forces connections from HTTP to HTTPS. It protects clients from DNS spoofing. Spoofing is when DNS routes requests to a compromised website.
HSTS comes in two flavors. One gets activated after the first connection to the website and remains in place based on the web server settings. The user can clear this type of HSTS, but not with the standard history removal. An enhanced option protects the first connection to the website by embedding HSTS into the web browser after the administrator registers the website. The Payment Card Industry does not explicitly require HSTS.
Certificate Authority Authorization (CAA)The web browser attempts to verify the certificate authority for each HTTPS connection. They check by comparing the DNS CAA record with the certificate. If the record exists, it must match. If there is no record, the browser accepts any certificate authority. Only 3% of websites use the setting, and the Payment Card Industry does not require it. However, it is easy and low-risk protection.
DNS SECDNS SEC protects against alteration of the DNS data package. However, it does not validate the responding server. The standard existed for a long time, but DNS service providers started enabling the capability recently. The following chart shows very few websites use DNS SEC.
HTTPS Network ConnectionAn HTTPS connection encrypts data transmission between the web browser and server. It masks passwords and credit card numbers within the data package. However, it does not hide communication endpoints or the amount of data sent. That protection comes from using the onion domain on the dark web. The dark web is slow, requires non-standard browsers, and masks the server from the client. So e-commerce vendors typically stay on regular websites and use HTTPS.
The Payment Card Industry requires HTTPS connections. There are numerous internet initiatives to support it. Those include browser warnings when entering form data, free SSL certificate services, and hardware acceleration for encryption processing. Compliant e-commerce sites serve all content from HTTPS. They typically still have an HTTP service, but it only redirects to HTTPS. The following chart shows the percentage of websites serving content using HTTPS only, HTTP only, and those doing both.
TLS ProtocolHTTPS encrypts network traffic using the Transport Security Layer (TLS) protocol. It's the same protocol to encrypt email, server login, and everything else sent over the internet.
The supported TLS versions are 1.2 and 1.3. They work on any current web browser released in the last 12 years. TLS 1.1, 1.0, and SSL 3.0 still exist on websites, but their support ended. So the Payment Card Industry does not support them. The following two charts show the newest and oldest supported versions.
TLS ConfigurationThe TLS protocol allows the web browser and server to agree on a cipher suite, a set of security algorithms and settings. The following chart shows the most common degradations. Yellow lines are suboptimal, and red is not allowed.
Lacks OCSPThe Online Certificate Status Protocol (OCSP) is a service allowing website administrators to disable keys before they expire. The best practice is to disable keys if there is a chance of theft. Protocol support is part of the key, and it does not require any changes to the website. However, not all the certificate authorities support the standard. The Payment Card Industry lists OCSP as a best practice.
Lacks AEADAuthenticated Encryption and Associated Data (AEAD) extends encryption to include metadata in the network connection. It is embedded into TLS 1.3 and not available in prior versions. Most browsers support AEAD. The best practice is to use TLS 1.3 when supported by the browser.
Old CertThe Payment Card Industry requires key rotation at least once a year. An old certificate is a public key that lasts more than one year. The best practice is to reduce the risk of undetected key theft by changing the keys every 90 days.
Key LengthMost public keys use the RSA protocol, but the newer, more secure keys are Elliptic. Longer keys are more secure but slower due to the added computational overhead. An Elliptic key is more efficient, providing significantly more security for a given key length. Most keys are RSA with 2048-bits, which is the minimum acceptable length. But Elliptic keys of 224 bits offer more protection and similar browser compatibility.
SHA1, DES, RC4, and MD5A frequent misunderstanding about security patches is that they leave unsupported security standards and do not add newer protocols. If your web server runs SHA1, DES, RC4, or MD5, it's time to migrate to a more current operating system.
Network SecurityNetwork design is critical to PCI. Anything inside the same network segment and not separated by a firewall is within PCI's scope, even if it never connects to the e-commerce solution. So the best practice is to minimize PCI scope by creating a network segment just for e-commerce.
Private NetworksA private network exists for any device using private IP addresses, including home networks. They use Network Address Translation (NAT) to give the request a public IP for internet connections.
Network FirewallA network firewall blocks internet access to internal services. Commercial firewalls add on inspection of network traffic, and they purge suspicious packets. The capabilities include:
- Block TCP SYN or denial of service attacks that flood the service with half-open network connections.
- Block IP spoofing, which protects against the takeover of user sessions.
- Block outbound connections while allowing inbound. That prevents the exfiltration of stolen data.
- Reflect nothing in response to blocked service, which makes it harder for the attacker to fingerprint the technology. The same request made to an operating system results in a negative response.
Encrypted Services protect data transmitted over the internet. Most email service providers support clear text or unencrypted connections. That makes it easy for a man-in-the-middle attack to capture login credentials. The hosting provider may expose other unencrypted services.
Databases are the most common service exposed to the internet without the necessary security features.
Hosting means the website does not share networking or operating systems with websites that belong to others. Secure hosting prevents unknown 3rd parties from gaining login access to shared services. The above chart refers to the hosted page. The majority of websites are in shared hosting environments.
Web Application Firewalls (WAF)The WAF works on the HTTP protocol. It inspects all traffic and rejects suspicious HTTP requests. There are many types of suspicious requests. The more common are:
- High-frequency requests from the same IP address.
- Input forms that look like SQL Injection and brute force password cracks.
- Unusual HTTP headers like the way out of date HTTP version 1.0.
- Programming requests such as DEBUG, OPTIONS, DELETE, and PUT.
Firewall LayeringFirewall layering goes from 1 to 3. Layer 1 is fast but only protects networking ports. Layer 2 inspects network traffic based on packet inspection, while layer 3 inspects application requests. The following chart shows data flow through the layers. Connections from the internet have to pass through each one. Even internal servers have protection from each other.
Operating System SecurityOperating system security refers to the security practices applied during installation and configuration.
Server HardeningServer hardening audits and updates hundreds of settings. It is complex. The practical approach is selecting technologies with a guide on how to do it. The CIS Benchmarks are popular and free hardening guides. At a high level, the commands help:
- Turn off unneeded services
- Remove unnecessary software
- Block insecure access
- Audit activity on the system
Software CurrencyOut-of-date software leaves websites vulnerable to commonly available exploit tools. The chart below shows that 52% of websites using WordPress are outdated. Outdated means the vendor does not provide security patches. These are not compliant with the Payment Card Industry. Even fewer website administrators apply patches when they exist. Similar issues exist with other software, including the programming languages, web servers, and HTTPS settings.
Honey Pot TrapsHoney pot traps lure behavior that should not happen. The solution then blocks anything taking the bait. It is most effective with email SPAM.
Source Code SecurityMost websites have insecure source code because they use the website as the source code repository. Secure source code separates them, which makes it practical to purge ransomware and malware.
A programmer can audit secure source code. Many Content Management Systems mix their code with website pages. Auditing is complex because they dump thousands of files into the web server directory.