Benjamin Dyer of ecommerce supplier SellerDeck looks at how to keep your online shop secure
It doesn't matter who I talk to about building online shops: businesses, web designers or even potential customers - IT security always comes up.
Online security threats like identity theft, phishing and data loss are just some of the topics that enter discussions about ecommerce. And it’s true: there are genuine problems and security risks you need to address when you sell online.
The central pillar to successful ecommerce is trust. To be a successful online retailer you need to be completely transparent about your security precautions. A lot of this relies on having a well-designed site.
You can reassure your customers with satisfaction guarantees, clear delivery times and a simple returns policy. Make your contact details and company history obvious and display the logos of any industry bodies you belong to.
Customers are also likely to look for the secure padlock in their web browser before making payment online. You can provide this with an SSL certificate.
It’s also very important your business complies with data security regulations. In 2008 the retailer Cotton Traders suffered an attack on its online operation. It lost customers’ details, including their credit card data.
Cotton Traders has a turnover of over £50m, and when a company that size suffers an attack of this magnitude, it’s easy to wonder what chance the smaller guy has.
The answer to the problem comes from the banks in the form of the Payment Card Industry Data Security Standard (PCI DSS).
According to the PCI Security Standards Council, PCI DSS is “a set of 12 requirements designed to secure and protect customer payment data”. Complying with PCI is complicated. The rule book is huge and understanding it correctly is no easy task.
However, in order to accept card data online you have to be compliant - so how does a small online merchant achieve this? It’s not as hard as you might think: you just make it someone else’s problem.
The UK has a number of payment service providers (PSPs). The most well-known are perhaps PayPal and WorldPay - my company also has one, SellerDeck.
To comply with PCI DSS, all you have to do is choose a PSP which is already compliant. When a customer purchases from you, they are forwarded to the PSP to make payment. The credit or debit card data is held on the PSP’s secure, compliant infrastructure. Because you don’t hold this data, you don’t need to worry about staying compliant.
Every online shop will suffer attacks from fraudsters at some point. They may attempt to obtain goods using stolen credit cards or by other, similar means.
To minimise the risk from fraudsters, find a PSP which takes extra anti-fraud measures on top of PCI DSS. For instance, look for:
If your PSP takes these extra precautions, mention it on your website. This will offer added reassurance to your customers.
You can also keep an eye out for fraudulent transactions. Fraudsters tend to buy high-value items, use the fastest shipping method and use ‘disposable’ contact details like free email addresses and mobile phone numbers.
If you suspect an order is fraudulent, you can ask the customer to send proof of their name and address by fax, or phone them back to ensure the number is genuine. Most fraudsters will give up at the first hurdle.
Finally, remember that cybercrime is a growing industry. Highly competent criminals are motivated by the significant financial gains they can make. Securing your online store and complying with regulations is essential.
More about selling online: