Website and online payment security is a MUST

What can you do to ensure your customers personal and credit card details are safe on your website? What is SSL and why do you need it? Let's look at the key points of website security.

How to choose an online shop software or CMS for security.

If you’re new to e-commerce (or looking for an upgrade), choose an Australian custom built system (such as Pegboard) rather than one of the many free or cheap e-commerce systems available. Why? The free / cheap ecommerce systems are ripe for hackers to reap maximum benefits by going after 1000s of websites built off the same software. It is for this reason we no longer develop sites using X-cart. We found most people using cheap online shop software simply don't bother to upgrade regularly as it takes time and costs money. This leaves their site vulnerable to hackers. Open source e-commerce software has its place... but if you use it, you MUST monitor it very closely and upgrade regularly.

Evolve your online store, don’t just set and forget.

If you’ve had an e-commerce site for a while, talk to your website development team to ensure that your website is not open to hackers due to old software and technology. Most online shop and CMS software require regular updates and patches to keep on top of technology advances. When was the last time your software was upgraded?

Always use a reliable payment gateway that is PCI Compliant.

There are a few excellent options in Australia such as eWay and Camtech. We recommend you chat with your bank first about their options and then compare. The Camtech Payment Gateway supports all major Australian banks and is the perferred Payment gateway provider for Pegboard. If you’re low on start up funds, don't expect to get a lot of credit card payments, have only a few products, or a low turnover, you could go with PayPal.

You are responsible for preventing theft of cardholder data.

If cardholder data is stolen you could incur fines, penalties, even termination of the right to accept payment cards. Follow these steps:

• Educate your customers and staff. Teach your employees about security and protecting cardholder data.
• Do not store any sensitive cardholder data in computers or on paper. Store confidential information in an encrypted form ONLY and delete it as soon as it is no longer required.
• Use a firewall on your network and PCs.
• Make sure your wireless router is password-protected and uses encryption.
• Use strong passwords. Be sure to change default passwords on hardware and software as most are unsafe.
• Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
• Use SSL protocol to protect information flowing between your customer and e-commerce website.
• Conduct routine security audits.
• Upgrade e-commerce and CMS software regularly.

What is SSL and why do you need it on payment pages?

SSL is short for Secure Sockets Layer. It is a global standard security technology. Offering a payment process secured by SSL not only helps protect your customers' confidential information, it inspire confidence in potential customers; which can in turn increase your online sales.

SSL certificates do NOT protect your website, they protect data transfers. Basically your SSL does 2 things:

1. Encrypt and verify the integrity of traffic between the customer's browser and your website server.
2. Verify that the browser is talking to the correct server. In practice, this usually means verifying that the owner of the domain and the owner of the server are the same entity. This helps prevent man-in-the-middle attacks. Without it there's no guarantee that you're encrypting traffic to the right recipient.

How it works...

1. When a browser (IE, Chrome, Firefox etc) requests a web page with SSL it is usually indicated by a web address (URL) beginning https instead of just http.
2. The browser asks the website to authenticate its identity.
3. If there is a problem with authentication, the browser will generate a warning for the visitor (stating the site is NOT secure).
4. If authentication is successful, a locked padlock icon will appear in the person's browser (in the browser status or address bar).
5. Once authentication takes place, the browser will automatically encrypt any data sent to the website such as the submission of a form. The type of encryption used is usually 128-bit and is very secure. 
6. Once your data is received, the website decrypts your information using a secret key.
7. The whole authentication, encryption and decryption process is seamless and automated - there is nothing you need to do.

You should buy a quality SSL certificate registered to your domain name. Generally we will help you setup your SSL but if you choose to do it yourself make sure you buy an SSL certificate from a good certificate provider NOT a shared option. It typically costs between $10 and $500 depending on the certificate provider. Setting up SSL takes about an hour, though it might take longer if it's your first time doing it. Conceptually, the process is very straightforward. You buy a certificate and configure your web-server to use it. But the details tend to be somewhat complex. For this reason we usually recommend you leave it to us.

At the end of the day, your system is only as secure as the people who use it.