E-Commerce CybersecurityThe Payment Card Industry (PCI) enforces robust security standards to protect themselves and merchants from exploitation. They cover the technologies and processes of the merchant and their service providers. Those technologies cover everything the solution touches, including the networks, backups, and links to 3rd party websites.
An e-commerce website is a high-value target for illicit activity, and retailers must remain vigilant. Potentially damaging outcomes include:
- The merchant or service provider loses access to banking services.
- The bank requires a 3rd party auditor to review the website and fix any gaps. That can include changing vendors, hosting services, and website design.
- Removal from search engine indices.
- Clients are getting full-page security warnings from the website.
- Email going to recipient SPAM folders or getting purged in flight.
- A legal mandate to inform clients you lost their private data.
- Disruption to business operations.
- Suing perpetrators for cybercrime is rarely an option because they often come from foreign countries.
Fraud PreventionE-commerce shops must contain many types of fraud to decrease losses and keep merchant banking services.
Payment Card FraudPayment card fraud is a transaction not made by the cardholder. There are many standard industry processes to protect the merchant. The most common are:
- Reject transactions with an invalid CVV code. Those are the three or 4-digit codes on the card.
- Enable 3DS. That transfers the financial loss for stolen cards to the merchant bank. Small card brands and less common card types may not support the standard.
- Geolocate the IP address. IP addresses from unexpected regions are high risk.
- Validate the provided billing address using the Address Validation Service (AVS). Corporate and prepaid cards typically do work with the service.
- Reject too many card numbers coming from a single IP address.
- Limit the number of purchases from the same card number.
- Only refund money to the credit card number that made the payment.
- Avoid high-dollar-value purchases. Card taps over $250 (depending on the country) lose liability transfer to the bank for fraud.
- Reject credit cards from foreign countries.
- Reject less well-known and less secure card brands.
ChargebacksA chargeback is when the client bank forces a refund. They come with a fine. Chargeback rates over 1% of transactions can result in the loss of merchant banking services. Steps to reduce chargebacks include:
- Delay billing the customer until they receive the product. Our solution use pre-authorization.
- State the conditions for return on the receipt.
- Put a name recognizable to the client onto their credit card statement.
- Keep journals for prior chargebacks to identify possible recurrences.
- Sign up with Ethoca and Verifi to get notified of pending claims.
- Confirm online purchases with an email or text message.
- Suppress double payments.
Shipping FraudShipping fraud is when the customer claims they did not receive the product when they did. There are several ways to protect yourself:
- Retain tracking numbers with the order.
- Use the Address Validation Service (AVS) provided by the credit card company and compare it with the shipping address and the geolocation of the IP address making the request.
- Compare the address to prior purchases from that location.
- Limit shipments to a geographic region
- Pack products to prevent damage in shipment.
- Reject postal boxes as shipping addresses.
Return FraudA fraudulent return is getting products back that do not conform to the terms and conditions. Preventative measures include:
- Ensure the serial number on the product sent matches the returned item.
- Verify there is an appropriate amount of wear and tear for the situation.
- Analyze the data collected from transactions for suspicious activity.
- Blacklist shipping addresses with too many returns.
- Validate ship-to addresses with a 3rd party services.
Web Browser SecurityThe web server can configure several security settings in the browser. They modify how the browser manages the connection and the loaded web page. The following chart shows the percentage of websites with each security setting and describes each further down.
Cross-Site Scripting (XSS)XSS is when the browser collects data from one website and shares it with another. The protection is enabled by default when the browser starts. E-Commerce websites need to leave it on.
Content Security Policy (CSP)The CSP restricts where the web page can get data. It is a superset of XSS because it includes data and content. The granular configuration sets each content type individually. For example, our website allows CSS content inline for better performance, but other resources come from the website. The web server enables the settings by adding a policy to the HTTP header on the page. It is an implicit requirement of PCI-DSS Version 4, which comes into force in 2025.
Inline Frames (iframe)An inline frame is a webpage inside a webpage with a virtual firewall isolating them. Most e-commerce websites use it to collect credit card data because that eases PCI scope for merchants. However, it adds design complexity, slows response times, caps functionality, and limits graphical options.
HTTP Strict Transport Security (HSTS)HSTS forces connections from HTTP to HTTPS. It protects clients from DNS spoofing. Spoofing is when DNS routes requests to a compromised website on a different IP address.
HSTS comes in two flavors. One gets triggered after the first website connection and remains in place based on the settings provided by the server. The user can clear it, but not with the standard history removal. An enhanced option adds protection for the first connection to the website by embedding the HSTS into the web browser. The website administrator enables the enhanced option by submitting the domain name to a registry service.
There is no PCI requirement for HSTS, and only a tiny fraction of websites implement it, but the growth rate is substantial. The work effort to implement and the risk to the website is trivial.
Certificate Authority Authorization (CAA)The web browser verifies the encryption certificate provided by the web server for HTTPS connections. It validates the provided key with the CAA supplied in the certificate to prevent a compromised CAA from generating fraudulent certificates for your website. The website administrator can add a CAA record in DNS to instruct the browser to reject all but the specified CAA. Then the browser will only accept a response from the named entities. So it protects against a compromised CAA.
Only 3% of websites have a CAA record, but this continues to rise. The Payment Card Industry does not require it. However, it is easy and low-risk.
DNS SECDNS SEC protects against alteration of the DNS data packet with encryption. The standard existed for a long time, but DNS service providers started enabling it recently. The following chart shows very few websites use it, but there is a high growth rate, and it has no impact on website deployments.
HTTPS Network ConnectionAn HTTPS connection encrypts data transmission between the web browser and the server. That masks passwords and credit card numbers. However, it does not hide communication endpoints or the amount of data sent. That protection comes from using the dark web. The dark web is slow, requires non-standard browsers, and masks the server from the client. So e-commerce sites almost always use HTTPS.
The Payment Card Industry (PCI) requires HTTPS connections. Multiple internet initiatives support it. They include browser warnings when entering form data, free SSL certificate services, and hardware acceleration for encryption processing. Compliant e-commerce sites serve all content from HTTPS. They typically still have an HTTP service, but it only redirects to HTTPS. The following chart shows the percentage of websites serving content using HTTPS only, HTTP only, and both.
TLS ProtocolHTTPS encrypts network traffic using the Transport Security Layer (TLS) protocol. It's the same protocol used by email, server login, and any other public domain service with encrypted connections.
The supported TLS versions are 1.2 and 1.3. They work on any current web browser released in the last 12 years. TLS 1.1, 1.0, and SSL 3.0 still exist on websites, but their support ended. So the Payment Card Industry does not support them. The following two charts show the percentage of websites by the newest and oldest versions.
TLS ConfigurationThe TLS protocol negotiates a cipher suite between the web browser and the server. A cipher suite is a set of algorithms and keys. Due to the continual evolution of security protocols, over 100 active services exist. So the best practice is to validate HTTPS connections against many current and older web browsers.
The following chart shows the most common non-compliant cipher options in red and suboptimal ones in yellow.
Lacks OCSPThe Online Certificate Status Protocol (OCSP) is a service the certificate authority offers. It lets website administrators disable HTTPS keys before expiration to defend against theft. The web browser and certificate authority implement the protocol. The Payment Card Industry lists OCSP as a best practice.
Lacks AEADAuthenticated Encryption and Associated Data (AEAD) add metadata to the encrypted payload. It is embedded into TLS 1.3 and is not in earlier versions. All current web browsers support AEAD. The best practice is defaulting connections to use AHEAD and only fallback when not supported by the browser. Software must be released after 2020 to support the protocol. Our solutions allow browsers to implement AEAD.
Old CertificateThe Payment Card Industry requires HTTPS certificate rotation at least once a year to protect against undetected theft. The above chart defines an old certificate as having a start and end date exceeding one year. Our solutions rotate keys, and all other security materials, every 90 days.
Key LengthMost HTTPS public keys utilize RSA protocol, but the newer, more secure ones are Elliptic. Longer keys are more secure but slower due to the added computational overhead. An Elliptic key is more efficient, providing significantly more security for a given key length. The standard RSA length is 2048-bits, which is the minimum acceptable length. Elliptic keys of 224 bits offer more protection and similar browser compatibility.
SHA1, DES, RC4, and MD5A frequent misconception about security patches is they install newer security protocols. In reality, the supported protocols in a given product version never change. Instead, the patches fix defects in the original protocols. That approach makes the software more stable. So a website can run on a currently supported operating system, but the HTTPS protocols are out of support. SHA1, DES, RC4, or MD5 are the most common examples. We install current operating systems that do not support these out-of-date protocols.
Cloud ServicesSome cloud services comply with the Payment Card Industry (PCI), but many do not. Merchants need to confirm each service in the solution complies. That includes the Domain Name Service (DNS), Content Delivery Network (CDN), and even online services hyperlinked into the web page. They all come under PCI scope.
Network SecurityNetwork design is vital to PCI. Anything inside the same network segment as an e-commerce server and not isolated with a firewall is within scope, even if it never interacts with the e-commerce systems. So the best practice is to minimize PCI scope by creating a network segment just for e-commerce. Better cloud services make that easy.
Private NetworksA private network is a PCI requirement unless compensating controls exist. A private network exists for any device using internal IP addresses, such as home networks. They use Network Address Translation (NAT) to give the request a public IP for internet communications and mask the network architecture.
The private network gets cut into zones or subnets. The best designs only allow one zone to connect with the internet, called the Demilitarized Zone (DMZ). Servers in other zones connect to a service in the DMZ to make an internet connection. That creates a layered defense that is harder for an attacker to penetrate. The following diagram shows a standard network architecture.
Network FirewallA network firewall blocks internet access to internal services. The capabilities of a commercial firewall typically include the following:
- Block TCP SYN or Denial Of Service (DOS) attacks that flood the website with half-open network connections.
- Block IP spoofing, which protects against the takeover of user sessions.
- Block outbound connections while allowing inbound. That prevents the exfiltration of stolen data.
- Reflect nothing in response to blocked service, which makes it harder for the attacker to fingerprint the technology and reduces loading from Denial Of Service (DOS) attacks.
- Inspect the networking metadata and blocks anything that looks suspicious.
Encrypted Services protect data transmitted over the internet. Most email service providers support clear text or unencrypted connections. That makes it easy for a man-in-the-middle attack to capture login credentials. Many hosting providers expose unencrypted services on the same IP address as the web server. That is not PCI compliant.
Databases are the most common service exposed to the internet without an application firewall. They optimize for low latency and throughput and lack the application firewall needed for internet connectivity.
Hosting refers to any shared hosting environment not covered by a PCI report on compliance. Shared means many websites use the same server, which applies to most large hosting providers. A more secure approach prevents unknown 3rd parties from gaining login access to shared equipment.
Web Application Firewalls (WAF)The WAF works on the HTTP protocol. It inspects all traffic and rejects suspicious requests. There are many types of suspicious requests. The more common are:
- Requests from unexpected locations, especially countries with permissive attitudes toward defrauding foreigners.
- High-frequency requests from the same IP address.
- Input forms that look like SQL Injection and brute force password cracks.
- Programming requests not used by the application. Typically that includes such as HTTP DEBUG, OPTIONS, DELETE and PUT.
- Overflow attempts that send excessive amounts of data to compromise overload protections.
Firewall LayeringFirewall layering goes from 1 to 3. Layer 1 is fast but only protects networking ports. Layer 2 inspects network traffic based on packet inspection, while layer 3 inspects application-level protocols, which means HTTP for websites. Requests from the internet should pass through each one in succession.
The second meaning of layering is to place a firewall between internal services. The following chart shows a layer two firewall between the database and the web server.
Operating System SecurityOperating system security applies to the steps taken when installing, configuring, and maintaining software.
Server HardeningServer hardening audits and updates configuration of settings. It is complex. E-Commerce websites should stick to technologies with a guide on how to do it. The CIS Benchmarks are popular and free hardening guides. It provides a commands audit and hardens hundreds of configuration settings that do the following:
- Turn off unneeded services
- Remove unnecessary software
- Block insecure access
- Audit activity on the system
Software CurrencyOut-of-date software leaves websites vulnerable to commonly available exploit tools. The chart below shows that 52% of WordPress websites were outdated. Outdated means the vendor does not provide security patches. These are not compliant with the Payment Card Industry. Even fewer websites apply available security patches. Compliant programming languages, web servers, and databases support multiple versions simultaneously, which provides a window to upgrade versions. Although, the window to migrate a single technology maybe 18 months or less.
Honey Pot TrapsHoney pot traps lure behavior that should not happen, then blocks anything taking the bait. Our solutions use them to reduce email and phone SPAM significantly.
Source Code SecuritySource code is what builds the e-commerce website. It is an administrative resource requiring added security measures. A secure solution has the following features:
- Stores source code separate from the website and does not use the website to store it.
- Places source code in a private location and not public locations that anyone can access.
- Secure access with multifactor authentication.
- Separates source code from the Content Management System and does not mix them at a granular level.