Securing Your Online Shop – Getting Started

An article for the nice people over at IT Donut

It doesn't matter who I talk to about ecommerce; merchants, designers or even my parents, security is always something that is brought up. Identity theft, phishing and data loss are just some of the topics that can completely polarise any discussion regarding buying online. Some of it is very valid. There are genuine problems that need solving if you are selling online, but some of it is an over-reaction. Here I will look at the key elements for securing your ecommerce store.

Creating trust

The central pillar to the growth of ecommerce is based on trust. To be a successful e-tailer you need to be completely transparent about being a good company to do business with. A lot of this is down to the design of your site. Reassurances include satisfaction guarantees, clear delivery times, a returns policy, contact details, a company history and displaying logos of industry bodies you belong to. Use your own experience as a customer to make sure your site is up to scratch and conveying the simple message that you can be trusted.

However you must also comply with data security regulations.

The compliance challenge

In 2008 the retailer Cotton Traders suffered an attack on its online operation. It lost thousands of customers’ details including their credit card data. Cotton Traders, like many other traditional high street brands, has used the online channel to support its existing retail and mail order businesses. However when a company with a turnover of £50m suffers an attack of this magnitude, it’s easy to wonder what chance the smaller guy has.

The answer to the problem came from the banks (who are of course ultimately responsible) in the form of the Payment Card Industry Data Security Standard (PCI DSS).

According to the Security Standards Council, PCI DSS is “a set of 12 requirements designed to secure and protect customer payment data”. Complying with PCI is a fairly complex procedure, the rule book is huge and understanding it correctly is no easy task. However to take online card data you have to be compliant, so how does an online merchant achieve this? Thankfully there is a simple answer: make it someone else’s problem.

The UK has a number of Payment Service Providers (PSPs). I am sure everyone has heard of PayPal and WorldPay, my company also has one, Actinic Payments. To become PCI-legal a merchant simply has to use a compliant PSP. This way, when a customer purchases from your online store they are transparently forwarded to the PSP who takes the payment. This means the all important card data is held on an ultra-secure and most importantly compliant infrastructure. None of the payment card data is held on your server. If you get hacked, at least you won’t be giving any payment data away.

Fighting fraud

Make sure that your PSP supports 3D Secure, AVS (address verification), CV2 (3 digits on back of a card), preferably one of the independent fraud checking services, as well as being PCI compliant. Once you have security in operation, mention it on your website to give extra reassurance to customers.

You can help yourself too. Look out for these fraud indicators:

  • Using the most expensive shipping method

  • Choosing the most expensive products

  • Using free email addresses such as Yahoo or Hotmail and mobile numbers.

In addition you can check whether an order is fraudulent by asking for a fax of a copy of the back strip of the credit card; asking for proof of name and address to be faxed; or you can telephone to make sure that the number is genuine. Most fraudsters give up at the first hurdle.


Cyber crime, like ecommerce, is a growing industry And today it is the preserve of highly competent and mostly foreign criminals motivated by financial gain. Securing your online store and complying with regulation isn’t a nice to have, it’s essential.