Many more businesses are embracing e-commerce these days, by selling their products and services online. Putting your business online is like opening a new store that can be visited by anyone around the world. This not only enables you to reach more customers, it also creates more opportunities for online criminals.
E-commerce websites are often targeted by attackers because they want to get customers' payment data to commit fraud. As your customers will need to provide personal and payment information when buying things from you online, this can make your site more of a target.
This guide will help you understand what you need to do in order to get your business online, while keeping your e-commerce website safe and secure, and protecting your customers' information.
Understand what you need
Before making changes to your business operations to allow you to collect payments from customers online, it's important to understand what's required. Below are some things you'll need to put in place.
An online store or e-commerce system
You might already have a website for marketing, and now your business is growing and you want to add an online shopping cart. This part of your website needs to be well-built and secure as makes it a prime target for cyber attackers. Because of this added risk, it's important to do your due diligence as not all online stores are created equal. Your first decision is whether you want a custom-made e-commerce system or an off-the-shelf product.
There are many well-tested off-the-shelf options for online shopping carts (such as Shopify, Squarespace, or Wix). These dedicated e-commerce companies continually update their software to respond to evolving risks.
If you choose to have an e-commerce system custom-made for your website, make sure you understand what security features this will offer. Although they'll be the ones doing the technical work, you'll be responsible for keeping your customers' information safe.
If you plan to use an IT service provider to create or recommend your e-commerce system, our guide on choosing an IT service provider will help you ask the relevant questions.
Payment gateway
A payment gateway allows you to accept online payments. There are important security and compliance factors for each payment type (e.g. credit/debit card vs. bank transfer) that you need to consider. We encourage you to get in touch with your bank to discuss payment gateway options.
Off-the-shelf e-commerce systems are often limited to certain payment gateways. Talk to your IT service provider about which payment gateway your e-commerce system can integrate with.
Security standards for handling credit cards
The Payment Card Industry has a security standard for businesses who accept credit cards that covers how to handle the data. It's called the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS provides the minimum standard for website payment security - an important factor in processing credit card payments online.
By using a PCI-compliant service provider and by implementing the measures in your business, you significantly reduce your risk of suffering an online attack. The PCI DSS controls are useful to implement in other areas of your business too.
Goals |
PCI DSS requirements |
---|---|
Build and maintain a secure network |
|
Protect cardholder data |
|
Maintain a vulnerability management program |
|
Implement strong access control measures |
|
Regularly test and monitor networks |
|
Maintain an information security policy |
|
Our Critical Controls show how these principles apply to other areas of your business.
CERT NZ Top Critical Controls
PCI security standards External Link
Incident response plan
Moving to an online store introduces new risks to your business. You'll need to have a plan in case the worst happens. Just like other emergency response plans (such as what to do in the event of a fire or earthquake), this plan should detail contact points, response timelines and procedures in the event of an online attack. If you don't already have an incident response plan, check out our guide on how to make one.
Train your team
Bring your team along with you on the cyber security journey. If they're clear on your business' policies and procedures, and how to follow them, there's less chance a cyber attack will be successful.
Secure your online store
Businesses might think that, because they're in New Zealand and not an international corporation, they won't be targeted by online criminals. Cyber attackers care less about the size or location of a business, and more about how easy it is to deploy their attacks. They'll often use tools to scan for outdated and unsupported software with vulnerabilities that make it easier them to get in.
Some off-the-shelf website solutions are updated by their vendors, which means you don't have to worry about doing it yourself. You still need to update software in other areas of your business, however. If you're using an IT service provider, don't assume they're keeping your website up to date. Make sure they regularly check for, and implement, updates.
When you're ready to start creating or updating your website, there are some things you need to make sure are in place. CERT NZ has a checklist that covers the best practice measures to protect your website. Following this practical advice is particularly important when you are using a website for sensitive functions, such as online payments or collecting customers' data.
Share this checklist with your IT service provider or check that the software you're using meets these recommendations.
Get in touch with your bank
After you have taken inventory of what you have and what you need, contact your bank.
Banks regularly work with businesses to help them establish their e-commerce systems. They often have guides explaining how they can help. They can also refer you to the relevant people for more information on:
- payment gateways
- fees relating to receiving online payments
- handling online refunds, chargebacks, and payment disputes
- PCI-DSS compliance.
Read your bank's guide to business payments: