Download the PDF Version
Being able to shop with confidence and peace of mind is essential to a great customer experience. Give your customers an online shopping experience they can trust with our guide to eCommerce security threats.
eCommerce security is a combination of standard website security with extra measures in place to protect both your customers and your business from fraud. As an eCommerce business, transactions that take place on your site need to be securely managed. Customer data needs to be protected and you need to protect yourself from exploits that might be used to defraud your business. This guide will help you identify threats and take practical steps to tackling them.
Phishing refers to methods used by attackers to trick victims into sharing private information, such as passwords, account numbers, and answers to secret questions.
eCommerce businesses are particularly vulnerable to this type of security threat because they can be both victim and unknown criminal accomplice.
As a victim, you may be the target of a scam. Someone gets in touch, appearing to be a vendor or supplier, and tricks you into paying a fake invoice or sharing personal details.
The scarier situation is when you become an unknown accomplice to cybercrime. As an eCommerce store, you hold private data on your customers that needs to be managed. A scammer may impersonate your business to trick your customers into handing over their private information.
Use an email campaign to inform your customers that you’ll never ask for a password. This will help them spot potential phishing scams.
Credit card fraud remains the most common security threat facing eCommerce sites. It’s difficult to trace and still so easy to commit. Detecting a fraudulent transaction is a crucial first step, but it isn’t easy, especially if your site processes hundreds of transactions a day.
To protect your customers and your business, it’s important to verify fraudulent transactions before any payment is taken. If you fail to do this, not only will you lose valuable inventory, but it’s your responsibility to pay back whoever’s card has been scammed.
eCommerce merchant losses to online payment fraud will be $17 billion in 2020.
Malware is software that’s been designed by cybercriminals with the intention of accessing, or causing damage to, a network. Inserted into web pages through techniques like SQL injection, malware files can allow hackers to:
eSkimming refers to methods of stealing personal data from payment card process pages on eCommerce sites. It’s a significant security risk in eCommerce because the malware infects checkout pages to steal payment and personal information of shoppers.
These methods allow hackers to capture customer payment information in real-time as soon as the customer accesses the payment page.
If you’re a company that has a heavy volume of credit card numbers being inputted into your website, at that point, you’re probably at a higher risk [of eSkimming attacks].
Herb Stapleton, Section Chief,
FBI Cyber Division
The internet is home to good bots and bad bots. Bots are automated programs designed to perform a specific task on the web. Good bots serve a whole host of useful actions, from automation to calculation, freeing you up to do other tasks or improving a customer experience. But bad bots are designed to cause your business harm.
Recently, bad bots have evolved to mimic real human workflows across web applications to “behave” like real users. Bad bots can be a security threat to your eCommerce site in several ways, depending on how they’re designed, including:
Bots can be programmed to test stolen credit card numbers and figure out CVVs. They test in your checkout repeatedly until they’re successful. Once the hacker has this information, they’ll be able to buy whatever they like in someone else’s name.
Hacks can send out bots with stolen usernames and passwords to try combinations on many different retail sites until they’re successful. Once in, the hacker has free rein to place orders, steal more card details, and perform similar fraudulent activity.
Price scraping bots can be sent by competitors to monitor your pricing, pricing strategy, inventory levels, marketing plans, and more, allowing them to undercut your prices or outrank you in search engine results.
Bad bots account for over 20% of all eCommerce traffic.
Customers want personalisation, but data protection is one of their biggest concerns. How do eCommerce stores balance this equation?
Data has huge value, but as we have seen in the wake of GDPR, more people than ever are wary of sharing it with retailers. They’ll only share their data for the right price, and for e-tailers, that price comes in the form of a better customer experience.
In the wake of GDPR, eCommerce sites have had to change their cookie policies in line with regulations. This has led to a huge reduction in the consumer data sites like yours have at hand to improve customer experience. In response, many businesses have taken steps to show their customers that sharing personal data is both safe and beneficial.
98% of marketers agree that personalisation helps advance customer relationships.
If you’re struggling to convince people to share their personal data here are a few tips.
As well as reminding visitors about the benefits of a great user experience, you can incentivise them to share data, too. For eCommerce sites, this commonly manifests in a newsletter subscription.
You can offer specific deals to customers that are most relevant to their interests in exchange for their email subscription. When your customers recognise the value, they see more reasons to share data.
Privacy and security are key concerns to many shoppers. You can alleviate these concerns by presenting your website in a way that looks trustworthy. Just like a bank, if you look secure, people will trust you.
This can be achieved in several ways, which we will discuss later, but the key is to shout about it. If you have an ISO accreditation, make it clear on your website. If you use a trusted third-party payment provider, like PayPal or Klarna, make that known too. Design your site in a way that celebrates security, rather than grudgingly acknowledges it.
GDPR recommends that you should only collect what you need. So, when building forms, use the fewest number of fields you need to provide the best service possible. This also improves the customer experience because you present fewer hoops to jump through.
‘Data minimisation’ is an ethos applied to data handling - only let people who need to use the personal data access it. And, when it comes to access, eCommerce website security plays a key role.
Use data to find out what your customers want, then give it to them.
One of the biggest returns your customers can get from sharing their data is a personalised experience.
Even something as simple as a greeting can improve the customer experience on an eCommerce website. When Ashley logs into their account and is greeted by a “Hi, Ashley!” on the page, they feel a connection with your brand that builds loyalty and advocacy.
Look for opportunities to work personalisation into those meaningful customer contact points – from emails and chat bots, to on-page content and product delivery. We all like to feel looked after, and using personal data allows customers to feel like they’re getting a personal service.
But not all personalised experiences require collecting and storing lot of personal data. You can provide your customers with a personalised search and navigation experience without having saved any of their demographic data.
Thanks to machine learning its possible to analyse customers’ past and present behaviour and tailor results to their personal needs. While customer purchase intent may change between each visit to your site, preferences don’t. So, you need to consider both to tailor results real-time and deliver a consistent experience by remembering preferences for the next visit. This way, a solution like Loop54 improves the relevancy of results and predicts each visitor’s exact need without accessing sensitive data.
The same logic can be applied to category listings, replacing drag and drop merchandising, as well as if-this-then-that rules for generalised customer segments with truly personalised results.
Not only does this make shopping more pleasurable for the customer, it improves the chance of that customer buying from your site.
Personalised experience isn’t just about making a connection with your customer. It’s also about streamlining the process from visiting your site to completing a purchase. This is where personalisation demonstrates its most direct commercial impact and it’s as simple as giving your customer the easiest way to pay.
If you know they always use PayPal to pay, allow them to select that payment option first. If you know they use a credit card, offer to securely save the details so next time they don’t have to type all those numbers in again.
Site-search data provides a direct insight into your customers’ shopping behaviour, so it’s always worth examining. It’s often as if your customers are sharing their shopping list with you, and you can follow and predict new trends in real time.
If you know people are searching for products you don’t sell, it might be worth adding those products to your inventory.
If you only do one thing to secure your site, get an SSL. It can help prevent hackers intercepting information as it passes through your eCommerce site.
SSL (Secured Sockets Layer) Certificates are turnkey solutions that encrypt data that’s exchanged in between the web server and server. It’s the best form of online security you can provide your customers.
In addition to providing an additional layer of security over and above the firewall, an SSL also helps in amplifying the trustworthiness of the website. Once you’re certified, the address bar of your store will show a padlock symbol.
Configuring your website with an SSL certificate will also make it compliant with PCI DSS standards, giving you extra benefit.
You can also identify bad bots through non-human behaviour, like firing requests from the same IP in rapid succession. This can be a sign that a bot is trying to penetrate your network and can be taken care of by limiting use rates.
Your site should also feature CAPTCHAs. Completely Automated Turing test to tell Computer and Humans Apart (CAPTCHAs) can stop bots from registering fake accounts and gaining access to other users’ sensitive data. They can be slightly annoying for your returning customers, but CAPTCHAs are well worth implementing as a first step towards battling bad bots.
Security threats are always evolving and so are their countermeasures. Every time a vulnerability appears, it needs fixing. If you use a SaaS eCommerce platform, it’s likely that security updates happen automatically. But if you have an on-premises eCommerce platform, implementing updates, bug fixes, or vulnerability patches falls on your business.
Following on from the advice from GDPR, make sure that the fewest number of parties have access to your customers’ data. So, regularly review your third-party plugins and APIs to make sure you still need them. Make sure that you know what they are and that you still trust their product.
Unlike other websites, eCommerce sites require an extra layer of security. Because transactions take place there, e-tailers need to protect their business and their customers from fraud.
PCI DSS compliance is a must-have for any website that transacts money online. PCI’s Data Security Standard is adopted by every branded credit card company in the world. It’s a universally accepted yardstick for eCommerce security, establishing the website as one that is safe to transact money with.
Third-party payment solutions, such as PayPal, can help you maintain PCI compliance. A third-party payment gateway can securely handle customer financial data on your behalf, so you don’t have to store your customers’ credit card details. Not only does this give even the smallest eCommerce site a vital appearance of trustworthiness, you’re less of a target for hackers because they know they won’t get any valuable card details from you if they attack your site.
The “three numbers on the back” are a card’s CVV, or card verification value. These codes act as a security measure for CNP transactions since online merchants cannot check customers’ signatures. The CVV is stored either in the magnetic strip on the back of the card or in the chip of a chip-and-pin card.
Merchants are not allowed to store CVV codes in any way if they want maintain PCI compliance, which makes them fantastic fraud-prevention tools. Since no one has them stored, CVVs cannot be stolen from other people’s servers. So, if a customer uses the right CVV, you can trust that they physically have the card.
Make sure you, your employees, and your customers implement good practices for strong passwords. But, in a world in danger of password overload, we all feel the pressure of creating new passwords.
Since your eCommerce site requires people to use passwords, help your customers by creating a page with security tips and advice, or even a password generator. When asking customers to create passwords, let your customers know the criteria you have for passwords on your site to help them create a secure, yet memorable password.
Sharing the burden of online security also helps present a reassuring brand image, which will help your business’s reputation.
Fraud is not a new concept. But, while it was once limited to the physical theft of a credit card, online fraud is far more popular in modern society. New technologies, payment methods, and data processing systems, expose eCommerce sites to new forms of fraud every day.
For eCommerce retailers, it’s hard to identify when a customer is using a stolen card. They might have been a genuine customer for years before committing the fraud.
According to Riskified, among victims of credit card fraud, more than 1 in 4 blamed the eCommerce site that approved the fraudulent purchase.
This fear of blame is costing even more than the fraud itself, as e-tailers unnecessarily reject good customers. 30% of customers claim to have had an order cancelled and those incorrectly declined shoppers are no doubt quick to move to a competitor.
Here are 10 credit card fraud red flags:
e-tailers take payments from customers based on trust. But without the certainty of a chip and pin, eCommerce stores expose themselves to something known as “friendly fraud”. This is when genuine customers illegitimately dispute a purchase with their bank instead of contacting you for a refund. They might claim:
The process of “re-presenting” a transaction to the cardholder’s issuing bank.
The bank honours their customer and you, the e-tailer, must endure the cost. If you don’t recognise and dispute this, a significant amount of money is unnecessarily lost. It’s thought that eCommerce retailers globally lose $40 billion a year to this activity.
If you suspect a fraudulent chargeback because as far as you are concerned, the customer got the item they ordered, you can dispute the claims by undertaking representment.
To dispute a chargeback claim, you need to be able to substantiate the validity of the transaction. When representing a transaction, supply supporting documentation to prove your case, such as:
Account takeover happens when a fraudster gets access to one of your genuine customers’ account. From an eCommerce retailer’s perspective, this amounts to identity theft. Once they have access, the fraudster can make legitimate purchases, spend loyalty points and credits, or even sell the account to another person.
Account takeover is a significant threat to eCommerce businesses. It’s not as common and the financial cost is not as high as for chargeback fraud. But there are other costs involved with account takeover: an incident can deal a serious blow to your reputation when victims complain publicly, and if managed badly, it can put a huge dent in customer loyalty and retention.
While it’s almost impossible to completely eliminate the threat of fraud for eCommerce stores, you can help prevent it by keeping your network security systems up to date. Firewalls and antivirus software are designed to act as a shield against hackers’ attempts to penetrate a secure network and access yours and your customers’ information.
There are several ways to protect your business against fraudulent payments specifically.
However, this must be done elegantly, so it doesn’t have a negative effect on a customer’s experience. There’s a fine line between feeling safe at the checkout and being made to jump through hoops just to pay at your favourite store. Here, again, you can use customers’ behavioural data to identify the parts of your eCommerce store that are causing friction and work to optimise them for both security and customer experience.
Do the right thing – for your business and your customers: take precautions to ensure your eCommerce site is well defended against cybercriminals, so your shoppers get a frictionless shopping experience.
Shoppers expect the same level of relevance and personalisation online as they experience in-store. Powered by Machine Learning and built exclusively for eCommerce, Loop54 delivers that exceptional online shopping experience.