Delivering consumers a smooth, pleasant online shopping experience while ensuring tight security is a delicate balance—and to many retailers, it's a challenge. Every retailer wants to enhance the customer experience in e-commerce, but if they aren't careful, their efforts can turn a website into a cybercriminal's playground. To defend against security threats in e-commerce, you first have to know what you're looking for.
The typical e-commerce site requires a full name, address, email address and credit card information whenever a customer buys something. To make future shopping faster and easier, some sites ask consumers to set up a username and password—and many consumers reuse the same combination across multiple sites. All of this creates a treasure trove of personal data—and more incentive and opportunities for cybercriminals.
And it isn't just the customer who's at risk. A data breach is a betrayal of trust, and it costs retailers more than money and downtime—it can compromise valuable customer loyalty. A significant breach could put a small or medium-sized business out of business for good.
Security threats in e-commerce versus in stores
The point-of-sale (POS) attack is the most common in-store threat. Even if a retailer has met the stringent requirements of the payment card industry data security standard (PCI DSS), outdated operating systems remain a lingering threat. If a retailer's systems still use Windows XP or some other unsupported platform—and especially if they aren't updated and patched—they are vulnerable to hackers. Third-party threats are another problem; when a third party has access to your network, its security flaws become your security flaws, and they can wreak havoc. That's what happened in the Target breach, for example.
POS attacks are decreasing on the e-commerce side of retail, but attacks on web apps are on the rise, largely because the retail industry is moving toward a more web-centric environment, according to Verizon’s 2020 Data Breach Investigations Report (DBIR). Moving to the cloud comes with security risks: According to the DBIR, cloud assets were the target of nearly a quarter of all data breaches, and three-quarters of those breaches involved an email or web app server. Though most threats are to on-premises infrastructure and data, it's nonetheless clear that cybercriminals are following retailers to cloud environments. As infrastructure changes, the DBIR summarizes, adversaries change with it—and they're taking the easiest path to the data. Verizon's 2019 Payment Security Report offers additional insight into securing payment systems and achieving and maintaining PCI compliance; the 2020 Report, due soon, will no doubt offer more advice.
The top security threats in e-commerce
Here are some of the primary threats to online retail:
- Web-based applications. Web-based applications face two major threats: stolen credentials and exploitation of vulnerable infrastructure.
- Card-not-present crime. When a customer's credit card information is stolen and used fraudulently, the customer is refunded their money—but the retailer loses the sale.
- Distributed denial-of-service (DDoS) attacks. Downtime kills sales, and it could drive potential or return customers to a more reliable site.
- Credential stuffing. Cybercriminals with access to lists of usernames and passwords can implement automated, scalable login requests to hack consumer accounts.
- Human error. Human error is considered the biggest threat to online security. People fall for social engineering and phishing scams that turn a website malicious or create development vulnerabilities.
Improving e-commerce security and the customer experience
Online shoppers will return to a retailer if they had a good experience and think that the retailer is taking steps to keep their personal data secure. Securing your site with HTTPS will instill confidence in your customers.
To make the e-retail experience seamless, use tools like software-defined networking (SDN), which helps IT teams respond quickly to problems. During an outage or DDoS attack, for example, SDN can reroute traffic to the site or increase bandwidth to prevent the site from going down. Cloud applications designed to manage and encrypt data will keep customer data secure. Meeting compliance regulations, like the PCI DSS, and keeping operating systems and software up to date will add extra layers of protection in case one bulwark fails.
Brick-and-mortar retailers make customer service and safety a top issue. E-commerce retailers can do the same by stepping up their efforts to safeguard against security threats.
Learn how Verizon can help you improve cybersecurity for your retail operations.
The author of this content is a paid contributor for Verizon.