Web security. It’s so much more than strong passwords and knowing your first dog’s maiden name.
With the amount of websites we build at OOHology, it’s paramount we put security first. We keep our servers as secure as possible, have a proprietary content management system (CMS) and follow all the best practices. But when a business needs to process online payments, there’s a whole host of new concerns to consider. Let’s take a look at a few of the security measures our team implements to secure payment information in an e-commerce website build.
Patch It Up
We keep our web servers updated with the latest security patches while also disabling or restricting unnecessary services. This reduces possible attacks, preventing publicly known entry points, such as the well-known “heartbleed” exploit, which allowed attackers to access sensitive information on your server.
Our team goes the distance to ensure our servers are properly configured. For example, you'll often find some web services that host their database on the same server as their website, but if one or the other is compromised, then the would-be attackers get access to both the server and database. Separating databases from web servers is more work, but it’s one of the many techniques we use to maintain security.
If you're ever processing a payment online and you don't see a lock icon in your browser next to the URL, your traffic is not encrypted and the data is visible to potential attackers. The lock indicates your connection is encrypted via TLS/SSL (transport layer security). For the services that are open (such as the HTTP service), we use industry standard PKI (public key infrastructure) encryption for payment traffic.
We even go a step further here by using only strong encryption protocols and ciphers. This type of encryption prevents the “man in the middle” attacks on customer payment information. For example, some sites may use SSL v3, which is known to be a weak encryption protocol. In only a few hundred requests, a hacker can infiltrate this type of encrypted message. Our team specifically disables these weak protocols that allow attackers to see payments being processed.
Lastly, we simply avoid storing client payment data on our servers. Instead we use secure third-party API's (application programming interfaces) to interface with our software. In the event of a database breach, things like credit card numbers can not be accessed because we don't store them. Even though we treat our servers as if we did store sensitive data, we remove that possibility and rely on large professional organizations such as PayPal, Authorize.NET, and others like those to handle that part. We keep it simple, compliant and secure.
Following these practices has been very successful for our team, but we never let our guard down. Our developers meet twice a week to discuss the latest security and other development best practices. To read more about our security practices, see our recent blog about why hackers love WordPress websites.