Intro to Securing an Online Store – Part 2

Last year, we introduced the theme of Securing an Online Store. We talked about how to identify the potential risks and what to look out for. These principles can help in satisfying PCI DSS requirements 8 & 10:

  • Requirement 8 – Identify and authenticate access to system components.
  • Requirement 10 – Track and monitor all access to network resources and cardholder data.

How Can You Avoid the Threats?

Inevitably, the question becomes what can be done to best avoid and be protected against them?

The truth is, you can’t avoid the risks, which is why we emphasized in our previous post to reduce the attack surface rather than removing it altogether.

Web security is about risk reduction, not risk elimination. Risk will never be zero.

In this post, we’ll cover what you’ll need to defend yourself against threats and how these will align with a number of PCI requirements you’ll need to meet at the same time.

How to Defend Against Threats

Let’s consider what the website is for a moment. AlertLogic stated once:

“Web applications are the soft underbelly of your organization – the number one means by which attackers breach data.”

If web applications are the soft underbelly, utilizing a defensive strategy is understanding that you need to cover it up. Also, if your site is found to be non-compliant with PCI standards, you could face serious consequences beyond fees.

Last year, according to a report from Kaspersky Lab:

“The average cost of a data breach in North America was $1.3 million for enterprises and $117,000 for small and medium-sized businesses.”

What Should I Do to Protect My Online Store?

Web Application Firewall technologies are the key to this task and in fact, PCI DSS will require you meet two requirements that address the need in order to maintain a defensive strategy.

We have two excellent posts by one of our founders, Daniel Cid, that speaks on these requirements further:

Requirement 1: Build and Maintain a Secure Network – Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Build and Maintain a Secure Network – Do not use vendor-supplied defaults for system passwords or other security parameters.

Another value in having a Website Application Firewall activated on your website is the time it will save you. Leverage a solution that takes the added responsibility from you and places it in the hands of professional security providers so they can assist you by blocking breach threats in real-time.

As an e-commerce store, we also have to ensure that we’re not only being proactive about the vulnerabilities in the code of your environment but also the vulnerability of the bare data your customers will submit through your site.

The next two requirements emphasize this:

Requirement 3: Protect Cardholder Data – Protect stored cardholder data.

Requirement 4: Protect Cardholder Data – Encrypt transmission of cardholder data across open, public networks.

The SSL certificate protects your visitor’s information in transit, which in turn protects you from the fines that come of being found noncompliant with PCI DSS. We have a comprehensive guide on How to Install an SSL Certificate that you can follow to ensure that sensitive information is not exposed.

Final Tips

To summarize this post, keep your business and customers safe by following these guidelines:

1. Protect against hackers with a WAF; fulfilling the first two requirements of the PCI DSS.
2. Use a secure payment gateway for processing transactions.
3. Install an SSL certificate to encrypt traffic and protect your visitor’s personal information.

In the next articles, we’ll be diving deeper into the type of disaster recovery plan (DRP) you can depend on when the inevitable occurs.

If you are concerned with the security of your online store, chill out!  We have a complete website security platform that will protect your e-commerce website from attacks and hacks. Don’t hesitate to reach out to one of our sales assistants if you are unsure of which plan to choose for your business.

*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Victor Santoyo. Read the original post at: