Protect Your Customers’ Data on Shopify
As we've seen during the last two years, several businesses rushed to open eCommerce stores in order to meet the pandemic market's demand. With physical stores becoming restricted, an increasing number of businesses have decided to establish and create eCommerce sites in order to swiftly extend their services and offers, such as allowing customers to purchase online, curbside pick-up, and same-day delivery.
The pandemic pushed the migration to e-commerce platforms from five years to just a few months, making cybersecurity a must for today's retail store owners.
In addition to safeguarding your company from financial damage, securing your customers' sensitive data is a top responsibility for every retail business – simply because you are doing it not just for yourself, but also for your customers’ and their privacy.
A security breach may have disastrous consequences for a small business. Large companies, such as Target, may have the means to recover from a stolen data breach, but smaller businesses might not always.
Because hackers' tactics and targets are becoming more sophisticated, it is critical for eCommerce business owners to take the necessary precautions to safeguard their customers' data.
Not only is there a moral obligation to keep customer data safe, but protecting your customers' information is also mandated by law. The Payment Card Industry Data Security Standard (PCI DSS) was created by major credit card companies (Visa, MasterCard, and Discover) as a way to protect customers against fraudulent activity.
In order to comply with PCI DSS standards, you must:
- Never store sensitive authentication data after authorization or settlement.
- Protect stored data with appropriate security measures (e.g., encryption).
- Protect all systems against malware and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
To secure your customers' privacy, you must understand what information should be kept private and what information should not be shared on social media or other platforms. Deloitte has identified the following types of customer data:
- Account: Personal and transactional data, such as name and address
- Location: Physical location through mobile phone location, and virtual location through IP address
- Browsing: Browsing habits, including what, when, and where
- Profile: Data from third parties, such as demographics and social media
Customer data security is a vital aspect of running an eCommerce business. You want to ensure that all of your consumers feel safe when they visit your website and that their information is never compromised.
It is also vital to comprehend how hackers gain access to sensitive data so that you can take preventative measures in the future.
- Spam emails
Hackers might write to you on behalf of the name of the company they're purporting to represent (for example, Shopify) and ask you to verify your bank account or credit card information.
Some businesses have received letters indicating that Shopify is holding their payments until their account information is updated. Others received emails from bogus customers claiming that a payment had failed or that their account had been locked and they needed assistance.
If you are unsure about the validity of an email, do not click on any links or open any attachments it may include - even if it appears to be from Shopify!
Check with Shopify themselves by calling them and sending them a screenshot of the email to verify ([email protected]). Don’t just give out your details without checking.
- Be aware of phishing
In connection with spam emails, you might receive an email with a link asking you to verify your data and log in to your Shopify account.
Phishing refers to fraudulent attempts made by attackers to obtain personal information such as credit card numbers and usernames and passwords.
The attacker will usually lure you into giving away the information by sending you an email that appears to come from a reputable source, like your bank or credit card company. They may direct you to click on a link that takes you to a website that looks like it belongs to a trusted brand, but in reality, it’s fake.
Once there, they ask you to enter credentials—like your username and password—or provide other sensitive information like your social security number or credit card information. The website may even ask for payment for some kind of service in order to trick you into providing personal information. These could expose your account as well as your customers’ data.
- Sketchy apps
One of the most common things we see is hackers coming in through an app from the Shopify App Store, which is installed on a merchant’s site. A lot of time, merchants don't realize that those apps are vulnerable, and the hackers can use them to get in.
Some hackers will come in through abandoned apps that haven't been updated in a while. A lot of time it’s just because there are new features in the app store and you've got to upgrade to the latest version of the app for security reasons.
The best thing to do is to make sure you're running up-to-date software on all your apps and your website. If you're running old software or outdated plugins, you're going to be vulnerable to hackers.
- Weak themes or code
Unfortunately, editing your theme code can put your site at risk of hacking. Unless you're a certified developer with coding experience and security knowledge, we do not recommend making any changes to your theme code.
- Brute force attack
A brute force attack is an attempt to gain unauthorized access to a website by trying every possible combination of usernames, passwords, and other login details. The hacker often uses scripts or bots to run through these combinations as quickly as possible. If you have a strong password, this can take a while, but if you have a weak password or use something really common like “1234″ or “password,” then this method is quick and easy.
- SQL injection attack
A hacker might try to steal your customer’s credit card details directly from your store’s checkout. If your site uses software that doesn’t protect credit card information, a hacker might try to steal their credit card details directly from your store’s checkout. This kind of attack is called an “SQL injection attack” because the hacker sends requests to your database via SQL. To prevent this kind of attack, use software that allows for “parameterized queries”; this adds in an extra layer of security against hackers.
What can you do now to protect your customers’ data?
- Prevent brute force attacks by doing security measures
There are many ways you can counter brute force attacks. You could enable two-factor authentication (2FA) so that any user attempting to log in must provide their username, password, and another unique piece of information they have access to, such as their cell phone number or an email address.
Make sure that you also don’t disable the use of Caps Lock so that brute force bots don’t accidentally enter your customers’ passwords in the wrong case.
You can also lock out users after a certain number of failed login attempts so that hackers can’t guess an unlimited number of passwords. Implementing a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) on your login page that requires users to solve an easy but unique puzzle before attempting to log in can also stop automated bots from gaining access.
- Update software regularly.
Always update with the latest patches to avoid vulnerabilities. Many retailers still use outdated software that has known vulnerabilities — hackers can exploit this by gaining access to your database, or even taking control of a server.
You should always install the latest patches for all the software you use. This includes your operating system and any third-party applications — especially if these applications have access to customer data such as usernames and passwords.
If you’re using an eCommerce platform like Shopify, keep it up-to-date with the latest version and security updates. A managed platform will handle most security updates automatically — it’s important that you don’t disable this feature.
- Train employees
You can’t do all the work by yourself. Staff must be informed of the hazards associated with opening email attachments or clicking on links from unknown sources since these might result in malware or virus infection. This is best addressed as part of a comprehensive security education program.
Employee training that truly works is a key part of phishing protection. The majority of security training in the workplace nowadays is either done once a year or at employee onboarding. If you have a program in place, you can also do refresher courses to keep the team up to speed and update their knowledge in case there are new scams or major changes on the website in connection with customer data and security.
- Use strong passwords.
Use a combination of letters (upper case and lower case), numbers, and symbols that are at least 8 characters long.
- Protect customer payment information.
Make sure you have SSL protection on your website so customer payment information is encrypted during checkout.
- Use a firewall.
A firewall can block intruders from getting into your system by blocking the ports they use to gain access or by monitoring traffic for suspicious activity (like a high number of login attempts).
- Run regular security scans.
The next thing you need to do is run regular security scans on your own website, so you can discover any vulnerabilities before cyber criminals do. There are plenty of different tools available online for scanning websites for malware, SQL injection and other types of vulnerabilities that could be exploited by hackers.
- Choose a reliable payment method
One of the first things you should do when setting up your online store is to choose a reliable payment provider for accepting payments from your customers. There are plenty of payment gateways out there, but not all of them offer the same security features and checkout experience for both buyers and sellers.
When you accept credit cards on your website, you need to have a payment processor in place. The payment processor will be responsible for transferring your customers’ funds from their credit cards into your bank account.
This is a sensitive process because it involves both of your customer’s personal information and financial information. You should always work with a trusted payment processing company like PayPal or Stripe. These companies perform rigorous checks to ensure that their users are who they say they are and that they have the appropriate security in place to protect their customers’ sensitive financial data.
- Work with trusted developers
If you’re using a third-party developer to build or maintain your website or applications (apps), make sure they’re someone you trust. You don’t want to work with non-experts who might leave security holes in your code or systems that hackers can exploit.
Even if they are experts, they should be aware of what security measures they need to take on their end as well as yours, including putting policies in place where employees don’t use the same password for multiple sites or systems, changing passwords frequently, and not sharing them with others, and avoiding writing login credentials down unless absolutely necessary.
With over 400 clients served, Webinopoly is a leading web development agency with an experienced team of designers, developers, and marketers. Webinopoly combines a deep understanding of the eCommerce industry and its latest trends with proven success in building attractive and successful online stores. We specialize in custom BigCommerce and Shopify theme design, website development, marketing, and SEO.
If you’d like to learn more about what we can do or view our portfolio, please click on the links below: