How to Safeguard Online Shopping Transactions
Security should be a top priority for every online entrepreneur with a shopping cart or an e-commerce ambition.
Giving shoppers confidence that their credit-card information and personal details will be safe in your hands can make them more apt to make a purchase and become a regular customer. Conversely, shoppers’ deep-seated worries about fraud mean that if you give them reason for concern, they could back out of a purchase and stay away for good.
Security precautions also can save you money -- and maybe even preserve your business. The costs of a hack can be steep if credit-card information is stolen and you are at fault. Not only could you face huge clean-up expenses, angry customers and scary lawsuits, you also would likely face the wrath of the credit-card companies, which require merchants to abide by what’s known as the Payment Card Industry (PCI) Data Security Standard. The card companies could fine you, force you to undergo expensive security audits or even bar you from accepting any plastic.
Related: Seven Ways to Whip Your Website into Shape
To both instill customer confidence and avoid the horrors of a data breach, experts say a locked down shopping cart system is essential. What’s more, that system should not store any cardholder data. Hacks of these complex software programs are common, and you are a target even if you’re tiny. For example, more than 80 percent of card data compromises investigated by Visa affect merchants that process fewer than 20,000 transactions a year.
"Secure shopping-cart systems are essential for maintaining the integrity of the payment process," says Ella Nevill, a spokeswoman for the PCI Security Standards Council, an organization formed by the five top credit card companies to develop the standards and educate the public about them. "Our mantra is, if you don’t need it, don’t store it. Small merchants should ensure that they or their service provider protect themselves and their customers by using software that does not store cardholder data or jeopardize their PCI security efforts."
Merchants who are not large enough to have their own technology staffs typically use "hosted" shopping carts, which offer built-in security, technical support, and automatic, free software updates and upgrades.
Related: How One Startup Streamlined and Stylized its Online Storefront
"They are easy to manage, so they are good for entry-level stores," says Kerry Watson, an author of books on e-commerce software.
There are hundreds of such managed service providers that can help you start using a shopping cart in which they, not you, take responsibility for security. Services popular with small businesses include Volusion, BigCommerce and Shopify, Watson says. Prices can range from $20 to several hundred dollars a month, depending on the volume of business you do.
When selecting a company, weigh security features carefully. The provider should not store any sensitive cardholder data and should provide defenses against hacker attacks and encryption of sensitive data as it travels across the Internet to your site and the credit-card payment processor.
If you have large numbers of items for sale and need more control and customization than a hosted service can offer, you may want to use licensed proprietary software or open-source software to set up your own cart. Some popular makers include OpenCart, CubeCart, xt:Commerce and OXID eSales, but there are many others. Prices can be as low as zero for open-source software or reach into the hundreds and beyond, Watson says. You will also need a technology staff or a service plan to handle the maintenance and security of your system.
Whatever type of shopping cart you use, it’s wise to retain a third-party credit-card processor, rather than handle sensitive card data yourself. This means that when customers make purchases, they will temporarily leave your website and enter their card information on the processor’s site. Then they will return to your site to finish their transaction.
Related: A Seven-Step Guide to Protecting Customer Privacy
If you don’t have a crackerjack tech staff, "the best thing is to let somebody else process your credit-card transactions for you," says Edward S. Ferrara, a security and risk analyst at Forrester Research. Then, "you don’t have to be an IT professional -- you can just be a merchant."
Many small e-tailers use services from Amazon, PayPal and Google Checkout to handle their transactions. Other services popular with small companies include CRE Secure, 2Checkout.com and Skrill Holdings, formerly known as Moneybookers.
If you want to process credit cards yourself, be prepared to spend significant amounts of time and money to jump through numerous PCI-standards hoops and maintain dedicated server equipment.
Whichever approach you take, make sure the software and services you use have been validated as PCI compliant and ask for evidence annually that they remain so.
"There’s no one-size-fits-all approach here," Nevill says. "The most important thing is to be aware of the risks to cardholder data and to ask the right questions of your vendor or service provider."
After all, your business could depend on it.
Riva Richmond is a freelance journalist who has covered technology for more than a decade. She focuses on computer security, privacy, social networking and online business and has written for The New York Times, The Wall Street Journal and other national publications. Previously, Riva was a technology reporter at Dow Jones Newswires and regular contributor to The Journal's "Enterprise" small business column.