E-Commerce Security: A Security-First Approach

If you sell online, e-commerce security should be a constant worry. But by taking a security-first approach to your customer data, you will keep yourself, and your shoppers, safe.

The future of retail lives online. According to data from the St. Louis Federal Reserve Board, online sales increased from $104 billion to $124 billion between January 2017 and April 2018. The steep incline means that you’re probably increasing your business and your profitability through online sales. However, do you know you are also increasing your potential risk for data breaches Mitigating the inherent risk of e-commerce security requires a security-first approach to information security so that you can maintain customer data integrity, accessibility, and confidentiality.  

US Quarterly E-Commerce Retail Sales (2015-2018)


What new technologies expand the dimensions of e-commerce security?

On the National Retail Federation (NRF) “Retail Gets Real” podcast, Jason “RetailGeek” Goldberg, board member of the NRF’s digital retail segment Shop.org and leader of SapientRazorfish’s Commerce practice, suggested that two of the primary retail technology trends for 2019 will be:

  • Artificial Intelligence (AI)/Machine Learning (ML)

Increasingly, retailers use AI/ML to personalize customer experiences and target purchasing patterns. Goldberg believes that machine learning can be bigger disruption to retail than the move to digital due to its amorphous impact on many aspects of the retail experience. It is also that amorphous nature that makes key performance indicators difficult. While the application of AI/ML in e-commerce may not be tangible to the average consumer, the applications using it, like chatbots, voice interfaces, and targeted marketing algorithms will most certainly be at play.

  • Progressive Web Apps (PWA)

Additionally, Goldberg explained that as customers move from desktop to mobile devices,  progressive web apps are the best technology to address the underlying user experience disconnects  that create the current gap in conversions between the two.  These mobile experiences look like apps, but operate within the mobile browser and as a result to not require a download by the end user. Discussing the statistics, he noted that mobile users are 67% less likely to convert than desktop shoppers. While users rarely download apps, and Google algorithms do not promote the apps, PWA helps bridge the usability gaps between mobile and desktop.  

However, implementing these new technologies creates additional e-commerce security issues. New technologies provide you with new revenue streams, but new technologies also open the floodgates for hackers attacking companies using previously unknown security vulnerabilities in  “zero day attacks.”Both AI/ML and PWAs expose companies to a new set of risks.

What are the new e-commerce security issues these pose?

Jumping on the new technology train seems like a great idea. Technology’s ability to  streamline business processes and increase profitability seems like a “no brainer.” However, you need to be mindful about the effects that these new opportunities pose to your data landscape.

New E-Commerce Security Threats From AI/ML

Using AI/ML to create a better customer service experience may be one of its defining uses in e-commerce. For example, the chat box on your website uses machine learning to answer a variety of “frequently asked questions.” You’re saving money and increasing profitability by more rapidly respond to customers by automating a task previously delegated to employees.

However, in The Malicious Use of Artificial Intelligence report published in February 2018, researchers explained that the same properties that enable your business also enable hackers.  Unfortunately, AI systems come with a variety of unresolved vulnerabilities. E-commerce AI systems often involve easing communication by learning people’s behavioral patterns. However, the same way AI can learn customer behaviors, it can also learn from hacker. Hackers can teach the systems unintended behaviors or use the code that enables the machine learning to do something unintended.

For example, if hackers teach AI to answer questions about passwords, then your login information may be at risk. Simultaneously, they might be able to exploit weaknesses in the AI’s code to login to your systems on their behalf. At the moment, however, malicious AI/ML capabilities remain unknown.

The threats may seem unlikely, but the same way that you’re using AI/ML to provide a better customer experience, malicious actors are finding ways to use that against you.

PWAs Increase E-Commerce Web Application Threats

Web applications pose additional security problems for online retailers. Traditionally, network security in e-commerce acted as a primary control for protecting data. A firewall, for example, helps to mitigate intrusions into your networks and systems.  

Web applications, however, put your customers’ information at risk by accessing their devices. PWAs use a combination of code types, including the infamously exploitable Javascript, to make mobile websites look and feel like downloadable applications. However, if the code is incorrectly written, customers entering information on the PWA can be exposed to risk.

Hackers often exploit websites by inserting malicious code into an application, tricking the web browser into sending the victim’s information somewhere unintended in what is called a cross-site scripting attack. Your customer is using your website, but the information is traveling to you and to the hacker simultaneously. According to a TechRepublic article in April 2018, attacks against users occurred in 85% of the tested web applications, with most of those attacks using cross-site scripting.

The suggested way to protect your customers from these types of security threats in e-commerce is to review the source code. However, many small and mid-sized business may not have the resources for this.

How to use security-first compliance to focus your e-commerce security environment

You’re looking to scale your business while cognizant that the security risk of e-commerce technology may increase your data breach risk. You deployed a third-party platform to enable online payment security methods, but you also need to make sure that you’re protecting all customer information no matter where it resides.

By using a security-first approach to cybersecurity, you can minimize the risk of a data breach. Old technologies, like payment cards, come with embedded compliance requirements. For example, you know you need to protect cardholder data as part of your Payment Card Industry Data Security Standards (PCI DSS) program. Moreover, the PCI DSS also provides prescriptive controls and guidance to maintaining compliance. While the details might need to be updated, at least you have a map that can guide you.

PWA and AI/ML, as cutting edge technologies, don’t come with a map.  It’s impossible to comply with a non-existent standard or regulation. Unfortunately, a lack of requirement doesn’t get you off the hook. While you don’t have a guidebook, you still need to create a secure data environment.

Using a security-first approach means that you’re focusing on proactively reviewing data assets, examining risks, establishing risk tolerances, creating controls, and continuously monitoring your environment. Compliance standards and regulations all intend to make you secure data. If you’re starting with security-first and then looking to compliance requirements, you’re more than halfway there.

Moreover, as technology and their concurrent threats evolve, standards and regulations lag behind. In an increasingly regulated cyber environment, you need to be able to secure the information so that you can rapidly meet new compliance requirements as they arise.

At Zeguro You First Means Security-First

Facing the plethora of e-commerce security threats and solutions available seems daunting. However, at Zeguro we recognize this and by putting you first, we put your security first. With Zeguro, You First means:

  • Understanding your concerns: You’re worried that by scaling your business, you might create an unintended cybersecurity risk.
  • Understanding your needs: You need to find a solution that helps you manage your existing risks in a simple, comprehensive way.
  • Understanding your business: Your business matters to us, and we work to tailor our solutions to your unique needs.

With Zeguro, you have a partner in cybersecurity that focuses on your business and provides a personalized experience to help you understand the steps you need to take to protect yourself, your employees, and your customers.

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

No items found.
Karen Walsh
Written by

Karen Walsh

Contributing Editor

14 years internal audit experience.; award-winning writing professor. Cybersecurity writer focused on compliance and end-user awareness.