*UPDATE 20/01/17* Google is now penalising websites that store personal information such as passwords or credit card details without SSL. The Google Chrome browser will also display the words “Not Secure” in the address bar of any websites that should have proper security measurements in place but fails to do so.
Online shopping is one of the greatest conveniences of modern life. With a couple of clicks of your mouse, you can have goods delivered right to your door, from anywhere in the world. If you are selling goods online, the security of your customers private information needs to be a top priority. While this is generally well understood, many online sellers believe that by using PayPal, or some other secure third party payment gateway, their security obligations are met automatically.
However, quite often this is not the case. Some websites grab personal data from their visitors (even Credit Card information) before redirecting them to a secure payment gateway.
If your website collects personal, identifiable data from a user without an SSL Certificate, that data is stored in your database as plain text. If your website were to be hacked, this information becomes readily available, in plain sight.
SSL (Secure Sockets Layer), sometimes also referred to as TLS (Transport Layer Security) is a method of encryption that ensures any data your visitors input is stored securely. This is the “first tier” of security regarding online payments.
SSL, PCI and Potential Consequences of non-compliance
Collecting sensitive payment information from your customers, means your website needs to meet PCI (Payment Card Industry) standards. Go here to view more information about the Payment Card Industry Data Security Standard.
Put simply, if your customers information is compromised and you are found to be in breach of PCI Data Security Standards, you could suffer fines up to the value of $100,000 per month.
Things could get worse from there, with the possibility of having your merchant account terminated indefinitely. This means all accounts linked to you, your business and location. (to prevent a family member or employee simply creating a new merchant account.)
SSL Certificates that are signed by a trusted Certificate Authority can be purchased for as little as $30 per year. Weigh this against a potential fine of up to $100,000 per month. Yeah, it’s probably wise to get one.
Firewalls, Passwords and other Security Measures
While having your website secured with SSL is a necessary measure for online retail, it’s only the first step. Other recommendations include:
- Dedicated IP
- WAF (Web Application Firewall)
- Unique login URL
- Unique username, password and access privileges to website admin
- Strong Passwords
- Frequently change passwords
Please be aware that the guidelines vary for every merchant. If you are unsure of your obligations, this page may help you gain a better understanding of your requirements.
One more important consideration is the fact that Google is strengthening the use of SSL certificates as a ranking factor in their Search Engine Results Pages (SERP’s). Take a look here for more information on Best Practices when using HTTPS.
Ever had your credit card details compromised? If you have enjoyed reading this, possibly learned something or have anything to add, leave a Comment below.