E-Commerce Cybersecurity

The Payment Card Industry (PCI) enforces robust security standards to protect themselves and merchants from exploitation. They cover the technologies and processes of the merchant and their service providers. Those technologies cover everything the solution touches, including the networks, backups, and links to 3rd party websites.

An e-commerce website is a high-value target for illicit activity, and retailers must remain vigilant. Potentially damaging outcomes include: E-Commerce Security Components

Fraud Prevention

E-commerce shops must contain many types of fraud to decrease losses and keep merchant banking services.

Payment Card Fraud

Payment card fraud is a transaction not made by the cardholder. There are many standard industry processes to protect the merchant. The most common are:

Chargebacks

A chargeback is when the client bank forces a refund. They come with a fine. Chargeback rates over 1% of transactions can result in the loss of merchant banking services. Steps to reduce chargebacks include:

Shipping Fraud

Shipping fraud is when the customer claims they did not receive the product when they did. There are several ways to protect yourself:

Return Fraud

A fraudulent return is getting products back that do not conform to the terms and conditions. Preventative measures include:

Web Browser Security

The web server can configure several security settings in the browser. They modify how the browser manages the connection and the loaded web page. The following chart shows the percentage of websites with each security setting and describes each further down.HTTP Security Headers

Cross-Site Scripting (XSS)

XSS is when the browser collects data from one website and shares it with another. The protection is enabled by default when the browser starts. E-Commerce websites need to leave it on.

Content Security Policy (CSP)

The CSP restricts where the web page can get data. It is a superset of XSS because it includes data and content. The granular configuration sets each content type individually. For example, our website allows CSS content inline for better performance, but other resources come from the website. The web server enables the settings by adding a policy to the HTTP header on the page. It is an implicit requirement of PCI-DSS Version 4, which comes into force in 2025.

Inline Frames (iframe)

An inline frame is a webpage inside a webpage with a virtual firewall isolating them. Most e-commerce websites use it to collect credit card data because that eases PCI scope for merchants. However, it adds design complexity, slows response times, caps functionality, and limits graphical options.

HTTP Strict Transport Security (HSTS)

HSTS forces connections from HTTP to HTTPS. It protects clients from DNS spoofing. Spoofing is when DNS routes requests to a compromised website on a different IP address.

HSTS comes in two flavors. One gets triggered after the first website connection and remains in place based on the settings provided by the server. The user can clear it, but not with the standard history removal. An enhanced option adds protection for the first connection to the website by embedding the HSTS into the web browser. The website administrator enables the enhanced option by submitting the domain name to a registry service.

There is no PCI requirement for HSTS, and only a tiny fraction of websites implement it, but the growth rate is substantial. The work effort to implement and the risk to the website is trivial.

Certificate Authority Authorization (CAA)

The web browser verifies the encryption certificate provided by the web server for HTTPS connections. It validates the provided key with the CAA supplied in the certificate to prevent a compromised CAA from generating fraudulent certificates for your website. The website administrator can add a CAA record in DNS to instruct the browser to reject all but the specified CAA. Then the browser will only accept a response from the named entities. So it protects against a compromised CAA.

Only 3% of websites have a CAA record, but this continues to rise. The Payment Card Industry does not require it. However, it is easy and low-risk.Percent of Domains with DNS CAA Record

DNS SEC

DNS SEC protects against alteration of the DNS data packet with encryption. The standard existed for a long time, but DNS service providers started enabling it recently. The following chart shows very few websites use it, but there is a high growth rate, and it has no impact on website deployments.Percent of Domains with DNS SEC record

HTTPS Network Connection

An HTTPS connection encrypts data transmission between the web browser and the server. That masks passwords and credit card numbers. However, it does not hide communication endpoints or the amount of data sent. That protection comes from using the dark web. The dark web is slow, requires non-standard browsers, and masks the server from the client. So e-commerce sites almost always use HTTPS.

The Payment Card Industry (PCI) requires HTTPS connections. Multiple internet initiatives support it. They include browser warnings when entering form data, free SSL certificate services, and hardware acceleration for encryption processing. Compliant e-commerce sites serve all content from HTTPS. They typically still have an HTTP service, but it only redirects to HTTPS. The following chart shows the percentage of websites serving content using HTTPS only, HTTP only, and both.Percent of Domains Using HTTP and HTTPS

TLS Protocol

HTTPS encrypts network traffic using the Transport Security Layer (TLS) protocol. It's the same protocol used by email, server login, and any other public domain service with encrypted connections.

The supported TLS versions are 1.2 and 1.3. They work on any current web browser released in the last 12 years. TLS 1.1, 1.0, and SSL 3.0 still exist on websites, but their support ended. So the Payment Card Industry does not support them. The following two charts show the percentage of websites by the newest and oldest versions.Newest Supported TLS Protocol Oldest Supported TLS Protocol

TLS Configuration

The TLS protocol negotiates a cipher suite between the web browser and the server. A cipher suite is a set of algorithms and keys. Due to the continual evolution of security protocols, over 100 active services exist. So the best practice is to validate HTTPS connections against many current and older web browsers.

The following chart shows the most common non-compliant cipher options in red and suboptimal ones in yellow.Degraded SSL Configuration

Lacks OCSP

The Online Certificate Status Protocol (OCSP) is a service the certificate authority offers. It lets website administrators disable HTTPS keys before expiration to defend against theft. The web browser and certificate authority implement the protocol. The Payment Card Industry lists OCSP as a best practice.

Lacks AEAD

Authenticated Encryption and Associated Data (AEAD) add metadata to the encrypted payload. It is embedded into TLS 1.3 and is not in earlier versions. All current web browsers support AEAD. The best practice is defaulting connections to use AHEAD and only fallback when not supported by the browser. Software must be released after 2020 to support the protocol. Our solutions allow browsers to implement AEAD.

Old Certificate

The Payment Card Industry requires HTTPS certificate rotation at least once a year to protect against undetected theft. The above chart defines an old certificate as having a start and end date exceeding one year. Our solutions rotate keys, and all other security materials, every 90 days.

Key Length

Most HTTPS public keys utilize RSA protocol, but the newer, more secure ones are Elliptic. Longer keys are more secure but slower due to the added computational overhead. An Elliptic key is more efficient, providing significantly more security for a given key length. The standard RSA length is 2048-bits, which is the minimum acceptable length. Elliptic keys of 224 bits offer more protection and similar browser compatibility.

SHA1, DES, RC4, and MD5

A frequent misconception about security patches is they install newer security protocols. In reality, the supported protocols in a given product version never change. Instead, the patches fix defects in the original protocols. That approach makes the software more stable. So a website can run on a currently supported operating system, but the HTTPS protocols are out of support. SHA1, DES, RC4, or MD5 are the most common examples. We install current operating systems that do not support these out-of-date protocols.

Cloud Services

Some cloud services comply with the Payment Card Industry (PCI), but many do not. Merchants need to confirm each service in the solution complies. That includes the Domain Name Service (DNS), Content Delivery Network (CDN), and even online services hyperlinked into the web page. They all come under PCI scope.

Network Security

Network design is vital to PCI. Anything inside the same network segment as an e-commerce server and not isolated with a firewall is within scope, even if it never interacts with the e-commerce systems. So the best practice is to minimize PCI scope by creating a network segment just for e-commerce. Better cloud services make that easy.

Private Networks

A private network is a PCI requirement unless compensating controls exist. A private network exists for any device using internal IP addresses, such as home networks. They use Network Address Translation (NAT) to give the request a public IP for internet communications and mask the network architecture.

The private network gets cut into zones or subnets. The best designs only allow one zone to connect with the internet, called the Demilitarized Zone (DMZ). Servers in other zones connect to a service in the DMZ to make an internet connection. That creates a layered defense that is harder for an attacker to penetrate. The following diagram shows a standard network architecture.Networking Zones with Private Network

Network Firewall

A network firewall blocks internet access to internal services. The capabilities of a commercial firewall typically include the following: The following chart shows the percentage of domains with common firewall vulnerabilities. See below for descriptions of each.Infrastructure Security Administrative Ports need multifactor authentication or access restricted to managed IP addresses. Administrative ports include operating system login and website administration.

Encrypted Services protect data transmitted over the internet. Most email service providers support clear text or unencrypted connections. That makes it easy for a man-in-the-middle attack to capture login credentials. Many hosting providers expose unencrypted services on the same IP address as the web server. That is not PCI compliant.

Databases are the most common service exposed to the internet without an application firewall. They optimize for low latency and throughput and lack the application firewall needed for internet connectivity.

Hosting refers to any shared hosting environment not covered by a PCI report on compliance. Shared means many websites use the same server, which applies to most large hosting providers. A more secure approach prevents unknown 3rd parties from gaining login access to shared equipment.

Web Application Firewalls (WAF)

The WAF works on the HTTP protocol. It inspects all traffic and rejects suspicious requests. There are many types of suspicious requests. The more common are:

Firewall Layering

Firewall layering goes from 1 to 3. Layer 1 is fast but only protects networking ports. Layer 2 inspects network traffic based on packet inspection, while layer 3 inspects application-level protocols, which means HTTP for websites. Requests from the internet should pass through each one in succession.

The second meaning of layering is to place a firewall between internal services. The following chart shows a layer two firewall between the database and the web server.Private Network Zones

Operating System Security

Operating system security applies to the steps taken when installing, configuring, and maintaining software.

Server Hardening

Server hardening audits and updates configuration of settings. It is complex. E-Commerce websites should stick to technologies with a guide on how to do it. The CIS Benchmarks are popular and free hardening guides. It provides a commands audit and hardens hundreds of configuration settings that do the following:

Software Currency

Out-of-date software leaves websites vulnerable to commonly available exploit tools. The chart below shows that 52% of WordPress websites were outdated. Outdated means the vendor does not provide security patches. These are not compliant with the Payment Card Industry. Even fewer websites apply available security patches. Compliant programming languages, web servers, and databases support multiple versions simultaneously, which provides a window to upgrade versions. Although, the window to migrate a single technology maybe 18 months or less.Wordpress Version Marketshare

Honey Pot Traps

Honey pot traps lure behavior that should not happen, then blocks anything taking the bait. Our solutions use them to reduce email and phone SPAM significantly.

Source Code Security

Source code is what builds the e-commerce website. It is an administrative resource requiring added security measures. A secure solution has the following features: Our solutions follow all the above practices allowing them to recover from malware and ransomware in minutes.