The 7-point Checklist for Security and Privacy in Ecommerce

Nicholas Woodward
Published 12/11/2023
Share this on:

7-point Checklist for Security and PrivacyThe World Economic Forum has identified cyberattacks as one of the biggest risks to global economic stability. The Cybersecurity Outlook Study estimates an exponential rise in cyberattacks in the coming years, costing $11.5 trillion in damages in 2023. The eCommerce industry is one of the 8 most targeted industries for cyberattacks.

The value of eCommerce losses owing to online payment frauds was estimated at $41 billion in 2022 and is set to cross $48 billion by the end of 2023.

The 2022 Visa Threat Report shows that 75% of frauds and data thefts involve eCommerce companies. With the rising threat from cyber attackers, eCommerce companies must focus on improving security measures to safeguard their businesses as well as their customers. To that end, here is a 7-point checklist to help you secure your eCommerce platform against cyber attacks.

7-point Checklist for Security and Privacy in Ecommerce

An eCommerce website can fall victim to a variety of cyberattacks. Hence, you need ironclad protocols for website development and management to fortify the different access points and attack surfaces. Let’s take a look at 7 measures that can help you secure your eCommerce infrastructure.

1. Identify Source Code Vulnerabilities

97% of applications and software in the world use open-source code to some extent. Unfortunately, such codes are riddled with vulnerabilities and open your eCommerce websites to a variety of cyberattacks. The Open Source Security and Risk Analysis report shows that 84% of code bases are plagued by open-source vulnerabilities.

The number of high-risk vulnerabilities in retail and eCommerce sites has risen by 557% since 2018. You need to scan your eCommerce platforms for such vulnerabilities. You can use tools such as Flawfinder, RATS, OpenVAS, OSV-Scanner, etc. to find security gaps in your network. You also need to track security updates and patches for all open-source dependencies employed in your system.

2. Employ Multi-Factor Authentication (MFA)

Passwords are the weakest links in security. Even the most robust passwords can fall prey to phishing attacks. Multi-factor authentication makes it difficult for cyberattackers to access the network resources of your organization. MFA can prevent 99.9% of automated cyber-attacks. It has also proven effective against 96% of bulk phishing attacks and 76% of targeted attacks.

But, an eCommerce platform also needs to consider user convenience when employing multi-factor authentication. Despite the vulnerabilities, passwords are still the most common authentication factor. An eCommerce site can add additional measures to verify user identity.

The first identification is the credentials (username, passwords, etc.) The second one is either a unique auto-generated code sent to the user’s device. 68% of users find mobile push notifications as one of the most convenient authentication methods.

Multi-factor authentication grants robust access control security by confirming the identity of the user through multiple channels. This diminishes the possibility of unauthorized access. It helps prevent an attack even if one of the access channels is compromised.

3. Check Input Vulnerabilities

Injection attacks are among the most common types of cyber attacks that plague eCommerce websites. User input components on your eCommerce website are often vulnerable to such attacks. You need to scan the website for all user input components and define protocols for input data validation.

While most developers use a blacklist for input validation, hackers often find a way around these. Instead, you can use whitelists to validate inputs based on syntactic and semantic criteria that are relevant for various input forms. This helps limit the scope of injection attacks. You also need to test all the input forms for a variety of attacks such as:

  • SQL Injection
  • Cross-Site Scripting
  • Path Traversal & FIle Name Injection
  • System Command Injection
  • Local/Remote File Inclusion

You can reinforce security measures against injection attacks by sanitizing all inputs for malicious code elements such as single quotes (the most commonly used element to initiate SQL injection attacks). Furthermore, you also need to disable data interpretation to prevent injections from being automatically processed.

4. Vulnerabilities in XML External Entities (XXE)

There are a lot of e-commerce websites that parse XML inputs without a well-configured parser. Such websites are at risk as they allow external access to their information, files, and ports. Moreover, there is the additional risk of executing malicious code, as well as causing DoS and DDoS attacks.

Here’s what developers can do:

  • Use class-specific serialization methods when dealing with sensitive information
  • Opt for simpler data formats like JSON
  • Test external DTD for parsing
  • Update XML processors and libraries regularly
  • Implement validation of incoming XML files
  • Test all XML extensions for vulnerabilities

5. Control Session IDs

During web sessions, every user interaction is characterized by variables such as access rights and localization strings. Through session ID fixation, hackers can exploit legitimate sessions to accomplish their goals.

You have to impart protocols for session access through authentication and authorization controls. Then onwards you need to track user activity within the eCommerce web application using session IDs. The common session ID used by web applications discloses a lot of unnecessary information, which can be exploited by a potential attacker.

Cyber attackers can gain information about the programming language, technology framework, and user information by decrypting the session IDs. The session ID content should be built on meaningless information to avoid disclosure. You need to change the default session ID protocols to prevent fingerprinting.

Most cyber-attacks use brute force attacks to identify valid sessions. Hence, you need to ensure that the session IDs generated for your eCommerce websites are long enough to withstand such attacks. GitHub recommends a session ID length of 16 bytes with 64 bits of entropy. You can use a Pseudo Random Number Generator (PRNG) to introduce entropy in your eCommerce website’s session IDs.

6. Secure Transactions with PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) compliance includes guidelines to prevent payment fraud and financial information thefts. The PCI DSS guidelines for eCommerce identify 12 fundamental criteria that help secure transactions for eCommerce order fulfillment. Adhering to these criteria will help secure transactional information during order processing.

Here are a few ways to help your eCommerce website comply with these guidelines:

  • Minimize cardholder data (CHD) storage and retention time.
  • Define protocols for CHD retention and disposal.
  • Render all sensitive authentication data unrecoverable upon completion of authorization.
  • Use cryptography and security protocols for all cardholder information during data transmission.
  • Limit storage of cryptographic keys to minimum required locations.
  • Define protocols for identification and authentication for access to CHD.
  • Implement automated audit trails for all system components with access to CHD.

7. Conduct Regular Tests

Cybersecurity in eCommerce is a recurring practice. As the website grows and evolves, you might encounter new vulnerabilities. You need to conduct periodic tests to gauge the effectiveness of the security measures of your eCommerce website. You also need to conduct these tests to measure how well your security measures can withstand new cybersecurity threats.

Here is a list of important security tests for your eCommerce website:

  • Check for security updates for all components of your website.
  • Test file extensions that contain sensitive data.
  • Check file permissions for all sensitive data.
  • Scan backups and unreferenced files for user information and CHD.
  • Scan robot.txt for sensitive information.
  • Conduct search engine discovery recon for information leakage.
  • Test application entry points for vulnerabilities.
  • Test frameworks for fingerprint web applications and servers.
  • Scan URLs for sensitive information.
  • Test encryption and security protocols for information transmission.
  • Test user authentication and authorization protocols for vulnerabilities.
  • Scan for SQL, XML, X-Path, XSL, SSI, API, and other forms of injections.

Final Thoughts

With a considerable rise in cyber crimes, we know that eCommerce security is crucial. Having multiple security elements is vital as your business scales and flourishes. We hope this checklist helped you understand your eCommerce website’s security and privacy.

About the Writer

The article was written by Nicholas Woodward, the Country Manager at PACK & SEND, a leading and respected brand in eCommerce, logistics, and freight delivery solutions. With over 15 years of experience in the logistics, eCommerce, retail, and franchise industries. Nicholas has thought leadership and expertise across strategic planning, leadership, eCommerce, B2C logistics, and organizational performance & growth. Connect with Nicholas on LinkedIn.


Disclaimer: The author is completely responsible for the content of this article. The opinions expressed are their own and do not represent IEEE’s position nor that of the Computer Society nor its Leadership.