Digital commerce security: Better safe than sorry
In addition to providing a less desirable experience for your customers, the penalties for losing customer data are high and they are about to get a whole lot higher. In the EU, the General Data Protection Regulations (GDPR) will start being enforced in May of 2018. Among many other provisions related to privacy and data protection, the GDPR requires organizations doing business with EU residents to provide technology that is private by design. In short, we are all going to be responsible for protecting the data we store. Organizations who violate the GDPR could be fined as much as 4% of global revenue. For an organization the size of Amazon, that’s billions of dollars.
Meanwhile, most e-commerce companies are pushing the envelope to create applications that are increasingly easy to use, accessible from any device, and offer the opportunity to place an order just by a finger swipe. Sounds good, right? But they are forgetting about sensitive customer information and the safeguard of transactions. In this situation, Security testing deserves considerable attention because conventional security measures embedded in frameworks, such as anti- XSS, CSRF, SQL injection are simply not enough.
So, what can you do to protect your business and also protect customer’s sensitive data? Well, it definitely starts with careful, intentional consideration of digital commerce security. In support of that objective, we’d like to share some of the flaws we most frequently encounter when assessing the digital commerce platform of new clients:
- Manipulating prices during order placement
- Client-side validation bypass
Coupon and Reward Management
- Bypass of a coupon’s terms and conditions
- Use of multiple coupons for the same transaction
- Illegitimate use of coupons with products
Payment Gateway Integration
- Price changes at client side
- Changing the price before the transaction has been completed
- Flaws in integration with point-of-sale (POS) devices
If you’re concerned about the security of your system, here are a few things to ensure your platform is doing:
- Transmit data using HTTPS.
- Use session tokens.
- Ensure that no server errors are displayed when a page crashes.
- Error messages must not reveal any application information.
- All the data stored in the cookies should be encrypted.
- Do not store passwords in cookies.
- Do not store sensitive data such as card numbers, expiration dates and CVV2 codes.
- Patch your system constantly.
If you’re concerned about the security of your digital commerce platform, or any other part of the online customer experience, we’d love to help. Feel free to contact us for a no cost, no commitment consultation.