eCommerce sites often deal with sensitive customer data like credit card details, home addresses, and bank details. This private information is a goldmine for malicious actors who can use such details to commit fraudulent activities. Hence, eCommerce sites are susceptible to attacks such as hacking, phishing, and cross-site scripting, which put shopper data at risk. This means that eCommerce merchants have a responsibility to protect their customers’ data against eCommerce security issues.
Data protection and eCommerce security issues have been in the limelight for the past few years. Numerous companies from an array of fields have reported data breaches, with Adobe, eBay, and Marriott International experiencing some of the biggest data compromisations of the 21st century.
These high-profile incidents have caused consumer trust levels to plummet, with a recent survey by McKinsey revealing that only 10% to 20% of consumers have confidence in the security of their personal data across various industries. Additionally, 87% of consumers will not do business with a company if they have concerns over their security practices.
Common eCommerce security threats that eCommerce sites are in danger of are:
Governments have long known the dangers posed to consumers by websites that handle personal information. As a result, there are a number of regulations in place globally that online businesses need to abide by in order to best protect customer data. If these rules are not followed, not only will companies risk losing customers due to lack of trust, they will also incur hefty fines.
As eCommerce merchants usually have customers from different parts of the world, it is vital to have an understanding of the regulations your business is subject to.
If you accept card payments, these standards may apply to you.
One of the most obvious eCommerce security threats to customers using online stores is credit card fraud. PCI DSS was, thereby, created to increase controls around cardholder data and decrease credit card fraud globally. To achieve this, PCI DSS formulated six goals, each one attached to requirements card-accepting businesses should meet.
There are twelve requirements eCommerce merchants around the world that accept card payments need to meet. (Source: PCI Security Standards)
It is important to note that these are standards, rather than a law. The compliance with them is mandated by the contracts merchants sign with card brands like Visa and Mastercard. For most eCommerce merchants, these standards become mandatory in retrospect. If a data breach occurs that can be attributed to a failure to implement the standards, the merchant will be subject to a fine or sanction.
This regulation covers data and privacy protection for all citizens in the European Union and European Economic Area. Businesses that operate outside of these areas, but serve customers from the EU and EEA are subject to this regulation. Failure to adhere to GDPR can result in a hefty fine of up to 20 million euros or 4% of a company’s annual turnover.
GDPR is built around seven principles which aim to give European citizens greater ownership and control of their data, as well as placing limits on what organizations can do with personal data. The seven principles are:
Furthermore, businesses have a 72-hour window in which they must report a personal data breach to the Information Commissioner’s Office otherwise they could face a fine.
Now that the UK has left the European Union, they are not subject to the GDPR. However, the UK has adopted a new domestic privacy law called UK-GDPR which is exactly the same as the EU version and is supported by the UK Data Protection Act of 2018.
The UK Data Protection Act gives its citizens the right to:
This piece of legislation applies to organizations that collect, use or disclose the personal information of Canadian citizens during commercial activities.
PIPEDA calls for businesses to adhere to the following:
In addition to following the above requirements, should there be any breaches to the safeguarding of Canadian citizens’ personal data, the Privacy Commissioner of Canada must be notified.
Unlike the EU, the US does not have a central federal-level privacy law. What they do have are several industry-focused federal privacy laws and consumer-orientated privacy laws enforced on a state-by-state basis.
The US has four federal laws that govern how companies in different fields handle their citizens’ personal data. (Source: Varonis)
Most of these federal laws will not apply to eCommerce merchants, which is why some states have adopted their own laws to protect consumer data. Notably, the state of California passed legislation in 2018 that gives their occupants greater rights over the personal data being used by various online entities. Rhode Island and Utah implemented similar laws, requiring companies to adopt, implement and maintain reasonable security procedures. The way in which to do so however is not as clear-cut as California’s law.
Multiple states aim to follow the same suit as California, so it is a good idea to have an understanding of what the law entails.
To summarize, California Consumer Privacy Act (CCPA) gives Californians the right to demand to see all the information a company has stored on them and a list of third parties that their data has been shared with. If a resident requests access to this, businesses have 45 days to provide them with the information. Residents should also be allowed to opt-out of third-party sharing. If a company fails to follow the guidelines, the consumer has the right to sue them. This applies to businesses based anywhere in the world.
A list of US states aiming to pass well-rounded consumer data protection laws. With the exception of California, all legislation is pending. (Source: Varonis)
With so many rules and regulations, you must be wondering whether your site complies with these standards. Fortunately for Shopify merchants, Shopify has taken steps to ensure it adheres to the majority of these requirements.
The data stored on Shopify is very minimal, this is great as almost all of the regulations deem it necessary for online commercial companies to practice data minimization. Additionally, Shopify is already PCI DSS compliant.
The growing e-Commerce platform also implements basic password protection with two-step authentication, which helps to prevent phishing attacks.
The integrated encryption between user browsers viewing your store and your store’s servers is another plus as this prevents users from having their data stolen. Shopify does not allow older encryptions - namely, TLS 1.0 and 1.1 - to access their servers as they are more vulnerable to cyber-attacks.
Despite the protocols that already exist within the SaaS solution, there are other actions e-merchants can take in order to make their store as secure as possible, as well as making it easier for customer data to be shared with a customer should they ask for it.
Numerous Shopify businesses experience difficulties when manually updating tracking numbers or when PayPal freezes accounts for many days. That’s why they want to find a lifetime solution to save time and improve cash flow.
The benefit of adding tracking numbers to PayPal automatically is:
Many merchants find Synctrack is a solution for business owners to sync tracking numbers automatically from PayPal and Stripe in only 5 seconds with 1 click. With Synctrack, your site will 100% be protected and all the issues will be addressed quickly!
All of the above regulations give consumers the right to access the information eCommerce merchants store on them. So, should you receive a request, it is crucial that you understand how to obtain and send customer data.
The first step is to verify that the request is coming from the customer in question. Ask for proof of identity to be sent with the omission of sensitive data points like passport numbers. Once this is verified, from your Shopify admin page, click Customers, click on the name of the customer, and finally select Request customer data. An email will then be sent to the store owner containing the requested information. This action can only be completed by the store owner.
For more detailed information on processing data requests and erasure requests, head to this article.
To ensure that you are protected from hacking attempts, it is vital to have a secure, hard-to-guess password. To achieve this you should create passwords that are a mixture of upper and lowercase letters, include special characters like “@” or “%”, and numbers.
In order to limit access to sensitive information, you should make use of Shopify accounts. You can create accounts for each member of staff to access your Shopify admin page without enabling them to view your customers’ personal data.
This limitation of access will also work to minimize the likelihood of hackers obtaining sensitive data as each individual staff member’s computer could be susceptible to a cyber attack.
If you use customer data for marketing purposes or during the checkout process, you must inform your customers of this and allow them to explicitly agree to their data being used for this reason.
On pages with submission forms, be sure to include a link to a document that states exactly how their data will be used. Do not allow customers to hit submit unless they have checked a box to indicate that they have read, understood how their data will be used, and agreed to it being used for the stated purpose.
The European Tour Operators Association prevents users from clicking the submit button unless they check a box to confirm that they have read up on their privacy policy. (Source: ETOA)
Shopify has a free Terms & Conditions Generator that you can use to create terms and conditions that use clear, easily understood language, completely protecting your website, company, and customers.
If you hire a Shopify developer to customize a tool for your site, ensure that the code you provide to the developer does not include your API keys as these are equivalent to your password. Disclosing your API keys could give an attacker access to your admin page, which would allow them to take over your site and expose all of your store’s data.
By installing TrustedSite and gaining TrustedSite Certification, you can show visitors that your site is safe. The app will run weekly scans that check for malicious links and malware, ensure that the site is not compromised, and check that the site is not blacklisted by Google. On top of this, TrustedSite offers your customers protection against identity theft for 90 days after their purchase for up to $100,000 in losses.
If your staff members have access to your Shopify admin page or handle any customer data, it is crucial to inform them of the importance of protecting data and how to avoid hacking attempts.
Make sure they know the hallmarks of phishing emails which include suspicious attachments, .exe files, grammatical errors, and links urging them to provide or update their password.
This phishing email looks pretty legitimate, however, the red flags are the suspicious-looking email address which does not use PayPal’s domain together with a call to input credentials. (Source: We Live Security)
Encourage your employees to use trusted email platforms like Google as it uses intelligent spam filters. Ensure they know the dangers of sharing passwords and forbid them from sharing their Shopify passwords with anyone via any means.
Should your store fall victim to a cyberattack, notify your customers immediately. The regulations set out by governments around the world require you to do this within a given timeframe, so to be on the safe side it’s best to inform your customers within the first 24hrs. Also, notify the appropriate authorities in this timeframe.
eCommerce security is a key area of concern for eCommerce merchants and online consumers. As eCommerce activities require the collection and use of personal customer information, merchants should be vigilant and advocate for air-tight security. In doing so, eCommerce merchants can increase customer trust and alleviate the worries many consumers have, forming long-lasting customer relationships.