Running an online store comes with great responsibility for the products as well as for the customer data. Every day, an online store collects, processes, and store sensitive data that, in the wrong hands, could be a tool for malicious actions.

In early 2023, fashion retailer JD Sports suffered a major cyberattack when hackers breached a server containing online order information. The attack compromised data from approximately 10 million customers, including names, billing and delivery addresses, email addresses, phone numbers, order details, and partial payment card information. 

Considering that, let’s dive into how businesses can protect their eCommerce stores. 

Quick jump

Basic security principles in eCommerce

HTTPS protocol and SSL (Secure Socket Layer) certificate are the minimum requirements for security in any eCommerce store. These solutions are responsible for encrypting the data between the customer’s browser and the store’s server so no one can intercept it.

Lack of an SSL certificate not only increases the risk of private data leaks but also affects the search engine ranking and customers who pay more attention to the “padlock” in the address bar.

The second principle is proper password storage. For this, online businesses should use strong hashing algorithms (like Bcrypt) combined with a unique, random string of characters for each user (known as a “salt”). Adding this random value to the password before encryption protects against common attacks – dictionary attacks (when a hacker tries to guess a password using a list of common passwords) and attacks using pre-prepared hash tables (known as rainbow tables).

With this in place, hackers won’t have direct access to customer passwords once they enter the database. Remember, the responsibility for password security lies with the store, not the customer.

Thirdly system, plugins, and libraries updates. Not updating is like leaving the door open for intruders. Always update the server’s system, store software, plugins, and all used libraries. Hackers exploit known and already patched security vulnerabilities, counting on store owners often neglecting the updates. Automatic updates or scheduling to check for new versions should be part of your store’s routine maintenance.

Best practices for authentication and authorization on the eCommerce website 

Login systems remain the main target for hackers looking to break into online stores, thus, strengthening these vulnerable entry points is very important. To do so, websites implement authentication and authorization measures that add extra security layers. 

Multi-Factor Authentication (MFA)

Multi-factor authentication is a popular solution to fight against unauthorized access to user accounts. This requires users to confirm their identity in at least two different ways – for example, by entering a password and a code received via e-mail, SMS, or generated by mobile application. Even if a hacker gets the user’s password, he/she won’t be able to log in without access to their phone or other authentication device. Although multi-factor authentication can be frustrating for a customer, it significantly increases security of the website. 

Limiting login attempts (Brute-Force Protection)

The simple yet effective way to defend against brute force attacks is by limiting the number of logic attempts on a website. This mechanism blocks login for a specified time (e.g., 15 minutes) after several failed attempts, making brute-force attacks impossible to execute. Moreover, an additional security measure is introducing CAPTCHA, which adds an extra layer of protection against automated attacks. 

Using modern SSO systems

Single Sign-On systems allow customers to log into the store using their existing accounts like Google, Facebook, or Apple accounts. In this solution, these big companies are responsible for keeping the login systems secure, removing the burden from the store owner, and providing the convenience of using the same login credentials for multiple services. 

Cybersecurity protection

The eCommerce stores face threats from all directions. Solid technical protection is the best defense against breaches and keeps the customers’ data safe. Let’s take a look at popular protection measures. 

SQL Injection and XSS protection

SQL Injection and Cross-Site Scripting (XSS) are the most common threats for eCommerce store owners. In SQL Injection, attackers try to inject malicious SQL code through unsecured forms or URL parameters and get unauthorized access to the database. XSS attacks, in turn, involve “injecting” harmful JavaScript code into a page, which then activates in the browsers of unsuspecting users. Proper protection requires using parameterized SQL queries (also called prepared statements), validating and sanitizing all user input data, and using escape functions for data available on the page. Using ready-made security libraries – sets of prepared tools, functions, and programming modules that help implement and maintain application security mechanisms – and regular penetration testing should be a standard in every eCommerce store. 

Content Security Policy (CSP)

Content Security Policy is an additional security layer that helps detect and reduce certain types of attacks, including XSS and data tampering attacks (destroying, manipulating, or editing data). Through proper HTTP header configuration, CSP allows you to specify which sources can display content on your site, like scripts, CSS styles, images, or fonts. Thanks to that, even if an attacker manages to inject malicious code onto the page, the browser will block it if it comes from an untrusted source.

It’s worth keeping in mind that implementing a CSP policy requires careful planning to avoid disrupting the website. Although the initial setup is not the easiest, the security benefits far outweigh the effort.

Firewall and Web Application Firewall (WAF) configuration

A standard Firewall is like a guardian for our website that controls all the traffic and what data can enter and exit our system, being a basic but really valuable tool. Web Application Firewall (WAF) is a more advanced version designed to protect websites and online stores by blocking suspicious activities that can threaten the store and consumer data.

WAF can be implemented in two ways. The first is a cloud service such as Cloudflare, where an external company handles the configuration and updates, and the other option is installing software on a private server, which gives us more control but requires more work and technical knowledge.

Secure storage and processing of customer data

Careful customer data handling serves two purposes: it improves overall security and ensures regulations like GDPR are met. When you get the processes and tools right, you get two benefits – reduced vulnerability to data breaches and a more efficient and organized data management system.

Data encryption in databases and during transmission

As we mentioned when we talked about password storage, encryption is the foundation of customer data security. All sensitive data in the store’s database should be protected with modern, attack-proof encryption algorithms. This is especially important for payment, personal, and authentication data.

Here, let’s not forget to encrypt data during transmission as well. HTTPS secures the communication between the customer’s browser and the server, but equally important is encrypting data between servers or microservices in the store’s infrastructure. In practice, this means to encrypt data both “at rest” and “in transit” using current standards.

A key element is also the proper management of encryption keys. Even the best encryption won’t provide security if the keys are stored unsecured

Data minimization policy

One of the best ways to limit the risks of a data breach is to reduce the amount of data collected simply. The principle of data minimization, also required by GDPR, means to collect only the data that is necessary for a specific business purpose. Before adding each field to a registration or order form, ask yourself: “Do we really need this customer information?” If the data isn’t necessary for order fulfillment or service provision, we shouldn’t collect it. Apart from that, regularly review the stored data and delete the data that is no longer needed. Minimizing your data collection can also helps to improve security and also builds customer trust as customers increasingly expect stores to not ask for too much personal information.

DLP Systems

Apart from the mentioned data security measures, Data Loss Prevention systems are another perfect tool that can be highly effective. By controlling the flow of sensitive information within the eCommerce store infrastructure, they help to identify, track, and protect personal data and other sensitive information, whether stored in a database, transmitted over the network, or viewed by employees. DLP solutions can detect data that needs to be protected (like credit card numbers or personal data) and block unauthorized access or data transfer. For eCommerce stores, DLP functions for controlling employee access to customer data and monitoring data exports are particularly important. You can limit access because only authorized personnel should be able to access sensitive data to prevent potential security breaches and ensure customer data privacy. Although requiring some investment, implementing a DLP system provides a decent level of protection against data breaches caused by external attacks, internal threats, or human error.

In today’s digital world online stores need to be compliant with data protection laws to run your store and to get customer trust. GDPR (General Data Protection Regulation) applies to European customers and requires explicit consent, data access rights, and breach notification protocol. Beyond Europe, the CCPA (California Consumer Privacy Act) adds more compliance requirements for stores that serve American customers.

Different regions have different rules, so store owners must know which laws apply to their customer base. Having a privacy policy explaining how you collect, use, and protect customer data is just as important. Transparency fulfills legal obligations but also builds customer trust in your data security. Remember, compliance is not a one-time task – businesses need to monitor and update their policies and procedures as laws change and your business evolves.

Monitoring and rapid incident response

Staying alert is your best defense against threats. Intrusion Detection and Prevention Systems (IDS/IPS) will automate security monitoring for the store so businesses can detect suspicious activity and potential breaches in real-time. These work 24/7, analyzing network traffic patterns and flagging anomalies that could be an attack in progress. The best IDS/IPS solutions don’t just detect threats they can block suspicious connections before damage is done.

What’s more, well-thought-out backup systems are also valuable help, as even the strongest security measures don’t guarantee a store’s safety. Online businesses shouldn’t neglect to create regular encrypted backups stored in multiple secure locations, ensuring critical data remains recoverable after any breach or system error. 

Moreover, they should have a disaster recovery plan that outlines the procedures, assigns roles, communication channels, etc. Also, they should be tested regularly under realistic scenarios so they will work when needed most. 

Security in Sylius 

In eCommerce, security isn’t a feature—it’s a must. With data breaches reported daily, merchants and developers are right to be concerned about customer data. That’s where open-source platforms like Sylius have an edge.

The strength of Sylius lies in the open access to code. Every line of code is public and reviewed not only by the core team but by the whole community of developers. Some might think this would make it easier for hackers to find vulnerabilities, but the reality is the opposite. When code is open to everyone, you can’t hide security flaws or inject malicious code. This means security issues are found and fixed, not hidden until exploited.

Sylius has a systematic approach to security through several key practices. When vulnerabilities are found, they are documented as Common Vulnerabilities and Exposures (CVEs), which are public records that detail the issue and the fix. The platform underwent security audits in 2019 and 2023, and all issues were addressed. Clients also conduct independent security assessments of their implementation, adding another layer of verification.

Perhaps Sylius’s most powerful security feature is its active developer community. This collective of developers reviews, tests, and hardens the platform’s security. This many eyes on the code creates a security that’s impossible to match with closed-source platforms with limited code reviewers. 

Sylius is built on the Symfony framework, which is designed with security in mind. This solid foundation provides protection against common vulnerabilities and a secure architecture from the ground up. 

Security in Sylius isn’t a one-time achievement but an ongoing commitment. The cycle of testing, community feedback, and updates means the platform evolves to address new threats. This continuous improvement keeps the platform ahead of security challenges.

Final thoughts

Website security shouldn’t be taken as an additional point that can wait but as a must for the store’s survival and customer trust. Customer data protection is critical. Unfortunately, some eCommerce businesses still don’t meet basic security principles or rely on outdated solutions. 

No system is 100% secure, but following the best practices to protect data will reduce the exposure to attacks. Keep in mind that security is an ongoing process that requires regular updates, limiting employee access, monitoring, and adaptations to new threats. Don’t wait for a breach to occur before taking action – the cost of protecting your store is always lower than the cost of recovering lost data, and moreover, your customers’ trust.

Stay safe! ✊

Hackers don’t sleep. Secure your eCommerce business with BitBag. 🔐 Let’s talk about how we can strengthen your store’s security. Book a free consultation with our eCommerce security experts.