Website Security

Xero
We are an accredited e-commerce Xero advisor

Website security is something that even the biggest and best companies struggle to get right at times (in the last 18 months Adidas, Macy’s, Delta, Under Armour and Forever 21 have all experienced a data breach). However, it is really important that you get it right – a recent KPMG survey revealed that 19% of customers would completely stop using a retailer if they found out they’d had a breach. Some of the key things to consider are:

  • Payment Card Industry Data Security Standards (PCI DSS compliant) – your software and hosting will need to meet these standards if you want to take Mastercard, American Express, Visa or Discover credit cards. You only need this if customer credit card data actually flow through site – as opposed to being submitted directly to a third party payment system such as Paypal. Using a third party company reduces the security risk around card payments, but it doesn’t exclude a business from PCI DSS compliance. Your payment provider should provide you with information that clearly states what their own responsibilities are in order for you to assess your compliance, which you do by completing a Self Assessment Questionnaire
  • Transport layer security (TLS) – an encryption protocol used to secure communications over the internet (TIP: If a web address doesn’t start with https:// it doesn’t use TLS!). TLS is required for PCI compliance, but it doesn’t in itself make you PCI DSS compliant.
  • ISO 27001/27002/27018 – these are internationally recognised frameworks for website security. Whilst they aren’t mandatory, it’s a good idea to look out for providers which have them as they do provide you with additional comfort over the security your provider has in place.

There is a tendency for small merchants to rely heavily on their third party providers for security and it is a subject that is very technical and often daunting. The PCI Security Standards Council provides a PCI Data Security Essential Evaluation Tool for Small Merchants and we very much recommend that e-commerce businesses use this.

Website building solutions

If you’re using a 3rd party e-store solution which includes hosting, then server security will be provided by that provider. Here’s a summary of how some of the key players in the e-commerce market will help to keep your site safe:

Provider Wix Shopify EKM Magento
PCI compliance Yes Yes Yes Yes
Transport layer security Yes Yes Yes Yes (if configured)
ISO 27001 compliant Yes No Yes Yes

However, where hosting is not provided and your site is kept on your own or another server, you cannot rely on your e-commerce platform provider and will need to consider the security of your own server separately.

If you would like to find out more about any of the above mentioned retailers, please take a look here for more details on the wider/pro’s and con’s. Alternatively, if you’d like to speak to one of our e-commerce accounting experts at Elver Consultancy, please call us on 01942 725419.

Internet security is something that is constantly evolving. Whilst we do our best to keep our site fully up to date, please do get in touch with us rather than placing any reliance on the accuracy of the information in this page.