Trade Smart Online

Step up your website security

Your website is important to your business. It also contains business and customer information that is valuable to cyber attackers. Take steps to Trade Smart Online, starting with these four:

Protect it

HTTPS keeps the information transferred between you and your customers confidential by encrypting it. Secure your customers’ data by enabling HTTPS across your website.

Enable HTTPS

Update it

Updates close the gaps that allow attackers to access your website. Give yourself one less thing to think about and set your updates to take place automatically.

Apply updates

Secure it

PCI DSS helps ensure transactions on your website are safe and secure, and that your customers’ card data is protected. Banks require any site accepting online payments to be PCI-DSS compliant, so talk to yours about what’s involved.

Get PCI DSS compliant

Keep it

If your domain were to expire an attacker could claim it and set up their own scam website selling fake goods or serving malware using your business’ name. Ask your domain provider about auto-renewing your domain.

Understand domain registration

 

Checklist: protect your website 

Taking the four steps above is a good start in protecting your website, but working your way through the full checklist will make your business data and customer information even more secure.

Steps to work through yourself:

  • Create a long and strong login password for your website that is different from any used for other services. We recommend a passphrase of four or more words.
    Creating good passwords External Link
  • Turn on two-factor authentication (2FA). 2FA verifies you are who you say you are, by asking for a second piece of information (often a code) as well as your password. This adds an extra layer of security.
    Implementing 2FA External Link
  • Keep your software up-to-date. This includes your content management system (CMS), any plugins or external modules you use, and other items such as your web server.
    Apply updates External Link
  • Back up your website regularly. Set the backups to take place automatically and store them somewhere secure but easy to get to, such as a locked drawer or cupboard, preferably offsite. Having backups means you can restore your data quickly and easily if it's lost, leaked or stolen.
    Backing up your website External Link
  • Create an incident plan to guide you if something goes wrong. This should include your IT and communications support people's contact details. Having a plan will help you minimise the impact of an incident and get you back on your feet quickly.
    Create an incident response plan External Link
  • Report cyber security incidents to CERT NZ. We'll help identify the issue and let you know the steps you can take to mitigate it or prevent it from happening again. We'll also use the information you provide to create advice and guidance for others who might experience the same issues.
    Report an incident External Link

Steps to work through with your IT provider:

  • Enable HTTPS on all pages, including on your CMS, where you make changes to your website.
    Enable HTTPS External Link
  • Set up to receive alerts when someone makes changes to the website or CMS.
  • Check your CMS periodically to make sure the 2FA and alerts are still configured correctly.
  • Follow cyber security best practice when making changes to your website. Ensure your website developer or IT support follows the cyber security techniques outlined in the Open Web Application Security Project (OWASP).
  • Check you still need all the plugins installed on your website. If you don't need them anymore, remove them – they make your website an easier target for attackers.
  • Get Payment Card Industry Data Security Standard (PCI DSS) compliant. PCI DSS helps ensure that online transactions are safe and secure, and that customers' card data is protected from attackers. Your bank requires your online trading website to be PCI DSS compliant, so talk to them about what's involved.

You're strongly advised not to process any online payments yourself. Use a third party payment gateway provider who is already PCI DSS compliant.

In addition to PCI DSS compliance, there are other important considerations in operating – or preparing to operate – an e-commerce site.

Accepting online payments External Link

Download the checklist [PDF, 124 KB]