For all businesses that provides their services or goods online, security is one of the most important aspects of their operations. Even more, their future, cash flow and reputation of their brands depends on properly secured systems. This is regardless the tech stack in use, mobile/desktop services, server/cloud based solution or sector of the market.
If you are a CEO, CTO or COO you might asked yourself the general questions about regular security audit and monitoring, backup of data, SLA or password policies. However, only deep analysis done by experts can define your strategy for cyber security and minimize to the absolute minimum potential risks.
Questions that Stepwise engineers ask their E-commerce Clients when start auditing their core systems:
1. Is your online payment mechanism meeting PCI DSS requirements? (Payment Card Industry Data Security Standard)?
- If yes, do you audit the solution?
- If so, is there an audit conducted by an accredited PCI ASV auditor?
2. Is your online store immune from DDOS attacks?
- If yes, do you test against DDOS attacks?
3. Do you perform penetration tests of your e-commerce system?
4. If the Client has a custom solution (based on PHP, Java, etc.). Do you perform static source code analysis (SAST tests)?
5. If the Client uses SaaS platform like Magento, Prestashop:
- How often do you update your e-commerce system?
6. If the Client has its own e-commerce infrastructure. How often do you update your security patches in the infrastructure your e-commerce system uses?
- As soon as they appear.
- I do not know. Our security team works with installing security patches.
- We do not update.
7. Are you using a suspicious activity reporting system? Activities like:
- Many orders submitted by the same user using different cards
- Submitting multiple / suspicious transactions from the same IP address
- Orders in which the recipient is different from the cardholder (name, surname)
- … your example?
8. Are you applying a Chargeback Scam, such as storing a shipping note for each order?
9. Do you use an external fraud detection system?
10. Does the server on which the store is hosted is regularly monitored for malware, viruses, etc.?
11. Does your system enforce strong passwords, such as checking for complexity?
12. Do you use a monitoring system for leaks of your customers’ email addresses?
13. Does the company notifies the customer that his email address is in the email list that has leaked from a service? An example page where you can check if your email address has leaked from a service: https://haveibeenpwned.com/. In case the address is listed, you can notify the customer or ask him to change the password in our system (somehow, that will not scare him :))
If some of the above questions are worrying you, we strongly believe that you should contact security experts and audit your entire solution. Stepwise of course is one of the best options to choose on the Polish market. We will either advise you on what would be the next steps on your cyber security roadmap or commonly define the best possible strategy in order to secure your business.
In case of business questions: firstname.lastname@example.org