For eCommerce companies, the cloud has been an attractive option for years now. Scalable IT infrastructure, elastic load balancing across geographies, and integrated backup abilities all combine to make cloud platforms a great choice to host eCommerce sites, which often face rapidly shifting demands from buyers.
While the notion of the cloud being insecure has largely been debunked, the fact remains that eCommerce providers are a major target for hackers, thanks to their juicy stored credit card and personal information. Denial of Service attacks on internet sellers are also common. PCI Compliance is largely placed upon your organization, so be sure to maintain a secure eCommerce site by following these tips.
Before you migrate, you’ll have to plan ahead. Are you going 100% cloud or keeping some items in your current hosting environment? Will cloud storage host payment information or customer details? Will you process payments in the cloud or elsewhere? If you will be processing and storing in the cloud, you must work with a provider capable of supporting PCI compliance. Encryption of any stored customer data should be a requirement, both in transit and at rest.
Decide if you will use a Software as a Service platform hosted by the SaaS provider or with another cloud provider. You could also keep your own platform and host it with any public cloud service. Many SaaS options include encryption, tokenization, or API access. Automated logs and monitoring tools are also available. Explore your options and carefully diagram your entire environment so you know what sensitive information is located where at all times.
This one goes without saying. You need SSL implementation if you want to take credit card information over the internet. In addition, work with your cloud provider to set up encryption of all stored data. A provider can also help you keep your SSL updated—while you’re at it, be sure to regularly patch and update your operating system, eCommerce platform, anti-virus/anti-malware, and any other software tools in the environment.
If possible, don’t keep every customer record indefinitely, only as long as you might need to process returns according to your policy. Some personal information is acceptable for marketing or other purposes, but never retain credit card or other payment information.
Require strong passwords by all users and especially your employees. Read more about password best practices. Your backend users need to practice smart security protocol, too. Make sure they keep their PCs protected by antivirus/antimalware software and that everyone knows about phishing and other social engineering scams. Passwords should never be stored in plain text or written down. Keep these lessons fresh with at least annual, if not quarterly, training.
Your cloud provider can assist you in setting up network scans, access logs, DDoS alerts, and more. Things to look out for include suspicious transactions from a single IP address, a sudden flood of junk traffic, a single person using multiple credit cards, and mismatched addresses / phone numbers. Set a rule to lock out users attempting to login unsuccessfully after multiple attempts. Pull access logs regularly to stay aware of who is accessing sensitive data.
DDoS protection is easier in the cloud thanks to virtual machines ability to move between different data centers, as well as DDoS mitigation platforms designed around cloud computing and load balancing. But you’ll still need to catch an attack before it takes down your site. Learn more about growing DDoS attacks in the cloud and how to stop them.
All told, the cloud is a great option to keep your eCommerce system available to all customers and backed up in the case of disaster, but you’ll need to take some initial and ongoing precautions. After all, a data breach definitely isn’t good for business.