Information Security Strategies for eCommerce Businesses
February 27, 2017
3 min read
12According to The Global State of Information Security Survey 2015, released by PwC, cybercrime rates are rising and are expected to continue. The survey found a 109% increase in number of detected security incidents, heightening concern for Australian eCommerce business owners and customers. Vital customer data such as personal and financial details are at risk of data breaches, which can lead to significant cost to businesses.
Unfortunately, a number of eCommerce businesses may lack sufficient security measures to combat information security threats. Below we recommend some precautions you can put in place to eliminate potential threats.
1. Have Employees Undergo Security Training and Sign Confidentiality Agreements
Online fashion retailer Showpo has recently alleged that a former employee stole their entire customer database and handed it over to competitor, Black Swallow. The story exposed a number of potential weaknesses in the eCommerce industry, and the enduring need for information security management systems compliant with ISO 27001.
When it comes to data security matters involving employees, there are a few simple ways to ensure information is protected;
- Setting requirements for all employees to sign detailed and accurate confidentiality agreements. Depending on the circumstances, it may be necessary to have applicants sign ahead of time, even before job interviews.
- Security training to ensure employees understand their liabilities.
- Employees should only ever gain access to information that is directly related to their responsibilities.
- Staff should know the potential consequences of sharing sensitive data via email, or text, and understand that these communication methods are not necessarily secure.
- Send information security reminders and provide staff with any updates to company protocols and policies.
2. Employ Proper Verification Measures On Your Site
On your eCommerce website, enable an address verification system (AVS) and ask customers for the card verification value (CVV) for credit card transactions. This helps to reduce fraudulent charges, and protects the customer. Supplying this number at the time of authorisation ensures in cases of fraud and subsequent chargeback, the ruling will favour the cardholder. Sites that don’t require a CVV are viewed as less trustworthy, and risky by online buyers.
Setting strong password requirements for customers will also keep your business and customers safe. By asking customers to provide a minimum number of characters and the use of symbols or numbers will make it more difficult for hackers to breach your website from the front end.
3. Avoid Storing Sensitive Data and Records
Storing sensitive data on your customers, especially credit card numbers, expiration dates, and CVV codes, is unnecessary and only puts your business at risk. As a matter of fact, it is forbidden by the Payment Card Industry - Data Security Standard (PCI-DSS).
Limit the amount of data you retain, especially payment details. Customers will often prefer to enter these manually, rather than card details being auto-filled for convenience. Just enough information should be kept on record for possible chargebacks and refunds.
4. Implement an Information Security Management System
Every business should have an information security management system in place to pre-empt and react to threats as they appear. The international standard for information security management systems, ISO 27001 ensures a business’ security is managed effectively.
To learn more about what an information security management system compliant with ISO 27001 can bring to your business, download your free copy of our Information Security Whitepaper below:
Sign up for our newsletter
Stay Ahead: Subscribe for the Latest Compliance Insights and Updates.
We care about the protection of your data. Read ourPrivacy Policy.