Shopping cart security is a high priority, both for ecommerce businesses and their customers.
Surveys show that while consumers value the convenience of shopping online over any security concerns, online security is still on their radar. Shoppers are savvy about factors that can protect their security, such as only shopping from HTTPS connections and not using public WiFi to checkout online.
For ecommerce businesses, it’s not just about the risk of financial losses, but reputational loss that can go along with a data breach. While studies show many consumers won’t hold a breach against the retailer in the future, at least 25% said that they would. If a leak occurs within your own business, a 25% loss of customers would be significant!
With that said, what do store owners and their customers need to know about shopping cart security? What can you do if your store is built on WooCommerce? Here’s our quick guide:
What is a secure shopping cart?
As a general rule, a secure shopping cart has more than one or two security measures in place to protect user data. The idea is that if one fails, you should have other means of protecting the integrity of your customer’s details. You may already have a 128-SSL certificate, but that doesn’t entirely protect against hackers. Some other examples of means of protection include:
- Only using secure, reputable payment gateways.
- Running regular updates.
- Using security plugins that limit login attempts.
- Enabling 2FA (two-factor authentication).
- Choosing a very secure host.
- Setting strong usernames and passwords.
- Ensuring that integrations (such as your CRM) are secure.
- Identifying/preventing fraudulent transactions
Payment gateways are a service provided by a third-party merchant that allows the transfer of money from your customer to you. The processing of the transaction doesn’t happen directly on your website, nor are payment details stored there. This adds an extra layer of protection because hackers would need to get through gateway security.
Ecommerce store owners should stick with well-known, reputable merchants. For example, Stripe, PayPal, Visa, Apple Pay etc.
Your website operating system and any plugins you run will have periodic updates that should be applied ASAP. The software developers update (or should be updating) software to protect against any new threats and to keep the software in top working order.
When you choose plugins, one thing to look out for is that they are being regularly updated. This tells you the developers are active and move quickly to secure against threats.
WordPress/WooCommerce are generally thought to be safe platforms, however they’re not bulletproof. It helps to have reliable security plugins deployed that add an extra layer of protection.
The role of the plugin is to constantly check for threats and eliminate them through updating security measures. Look for a plugin that limits login attempts as well, so that anyone who has too many failed tries is locked out.
Two-factor authentication means all user accounts must get through two steps before being granted access. For example, after inputting username and password, the user may have to supply a code that has been sent to them via text message or email.
There are thousands of website hosting companies out there, but not all of them are reliable. WooCommerce store owners should choose a hosting service that specializes in WordPress and has built a strong reputation for reliability and security.
Strong usernames and passwords
Usernames and passwords should be easy for you to remember but not easy for hackers to guess. For example, many store owners use “admin” as a username, but that’s one of the easiest to guess. Mix up usernames and passwords with different characters and numbers added in, and make it unique for each account you have.
Any integrations with tools such as CRMs should be strong and secure. These should also be regularly updated to maintain their integrity.
Identifying/preventing fraudulent transactions
This is something that happens on the merchant end and tends to be administered through controls you put on your ecommerce store. Each business will be different in terms of what sorts of transactions constitute a risk. For example, you might have geo-location blocks on transactions, or prevent transactions with shipping addresses outside of a certain region. You can use gateways that require CVV on credit card transactions so that hopefully it’s a barrier for stolen card information where the thief doesn’t have the physical card.Ecommerce security should involve multiple measures to mitigate fraud or data breaches Click To Tweet
Are store owners ever liable for fraud?
In some cases, yes. Ecommerce store owners will be held responsible (if not liable) for fraudulent transactions. For example, if someone makes a purchase using a stolen credit card and you allow the transaction to go through, you can find that you end up with a chargeback from the bank of the person whose card was stolen. Chargebacks also include extra fees that you pay.
Chargebacks are a common problem for ecommerce brands, including some fraudulent chargebacks (where a customer alleges they didn’t receive a product or make a purchase, when they actually did). Some e-tailers choose to get chargeback protection as part of their merchant account for these reasons.
In terms of data leaks, where a hacker has stolen customer data from an ecommerce site, the question of liability is a “maybe.” Stolen data definitely leaves the company open to civil lawsuits, so it’s always better to err on the side of overprotecting customer data.
Is shopping cart security different for international transactions?
This very much depends on the security preferences you have set up. You may want to do business internationally, but that also means you could end up dealing with chargeback rules and fees for different locations. Of course, there are also issues with shipping costs and taxes to consider. Every ecommerce merchant should do their own due diligence to understand the risks and benefits of conducting business across borders.
Some merchants choose to set their preferences so that no international credit cards will be accepted at all. Others base their rules on shipping addresses. For example, what if someone living in a different country wants to send a gift to their mom, who happens to live in your country? Can they pay with their foreign credit card?
Security measures in terms of using reputable gateways and requiring CVV shouldn’t change. You may also choose to require additional contact details. Some merchants will flag international transactions and check up on them before allowing them to process.
Are some payment platforms more fraud-prone?
The answer to this question is not as straightforward as “this gateway experiences more fraud.” As long as you’re using reliable platforms, from the ecommerce merchant perspective, it’s often about chargebacks and which platforms are more likely to side with customers over every chargeback request (remembering that some are malicious or fraudulent).
For example, payments via digital wallets such as Apple Pay have been prone to “friendly fraud”, such as when kids make purchases using stored information. PayPal has been known to have high chargeback rates due to friendly fraud too, and have a reputation for often siding with their user, while charging the ecommerce store.
Debit cards pull straight from user bank accounts and there is no chargeback protocol impacting merchants. Basically, it’s at the customer’s own risk if they use a debit card to pay online. This is the most valuable information for fraudsters to have because they can dip straight into a customer’s bank account.
While you as the ecommerce owner may not be on the hook for fraudulent activity on a debit card, it still puts you in an ethical quandary. The account owner may request a refund from you, and it will be up to you to decide whether to honor that or not.
Security is always a concern and a risk for ecommerce stores. For WooCommerce store owners, managing that risk starts with following some good protocols for security, including having a reliable host and putting security plugins in place.
There’s really no way of completely avoiding risks such as fraudulent purchases or chargebacks, but you can follow some best practices so that you minimize them. As an ecommerce merchant, you need to do all that you can to protect customer data, and protect your business from the potential consequences of fraud.
One thing that can help? An optimized checkout experience that integrates with top payment gateways. Take a look at how CheckoutWC can help.