I talk about the features about eCommerce platforms all the time. But I don't often talk about related but important concepts. Every store owner has thought about security and how to keep their store safe both for their customers and so they don't get sued. When it comes to security there are two things you need to worry about.
- The security of your site
- The security of payment information
The security of your site is important because it controls everything. If someone gained access to your site they could get all of your customer's email addresses & mailing addresses. And they could deface your website and do all sorts of other nefarious things.
The security of payment information is critical so customers know they can trust you and your company. No one will want to purchase something from you if they think their payment information will be stolen.
So we need to handle both of these. The first thing we should do is protect your login information.
I'm writing this at a coffeeshop and when I login to my site I see:
The s in HTTPS means it's secure. If I try to login to my site and it isn't protected by HTTPS anyone else at this coffeeshop could intercept and read my password & username. They could save those credentials and log in anytime. They could even change my password and lock me out.
Install an SSL Certificate
The first step to having a secure site is to get an SSL certificate and apply it to your whole site so every page loads in HTTPs. That way when you (or your users) login their credentials are protected.
You can get a free SSL certificate from Let's Encrypt. Your can contact your host about setting this up for you. They'll usually have fully automated ways for you to do it yourself in a few clicks.
If you host is unwilling to install an SSL certificate for you find another host.
Protect Against Brute Force Attacks
Next you should protect yourself against brute force attacks. I'm a big fan of Jetpack which already has this baked in. They have a fantastic free feature called Protect . This feature notices if any WordPress sites are being attacked by brute force and will log their IP and it will automatically protect every other WordPress site from those attackers.
It should be turned on automatically once you connect to WordPress.com. To make sure it's on go to your WordPress admin and then Jetpack -> Settings -> Security and make sure you're protected against brute force attacks.
Your site should now be pretty safe against attackers. No site is ever 100% safe (just ask Equifax) but you've installed enough security that someone would have to target you specifically to get into your site.
Protect Payment Information
Now let's look into protecting our users payment information. Luckily WooCommerce handles most of this for us. With an SSL certificate we protect logins & credit card numbers. And any payment gateway you find on WooCommerce.com will use proper security standards.
You do need to spend a few minutes thinking about PCI compliance. PCI stands for Payment Card Industry. It's the standard for using credit cards in person or online.
You need to fill out a PCI document when you handle credit numbers – even if you aren't personally handling the numbers. With WooCommerce your payment gateway (ex. Stripe) technically handles the credit cards. Since you own your own hardware you need to be aware of who is responsible for what. WooCommerce has a document outlining all they do.
As a store owner you need fill out a self-assessment questionnaire stating what you're doing with the numbers.
Credit Card Tokenization
I do want to talk just a little about saving credit card numbers. If your payment gateway saved physical numbers somewhere that's a terrible policy! You would be liable for any stolen numbers.
Luckily all good developers know about tokenization. And they store a token that allows only their store to reuse that credit card number. They don't store the number itself so it can't be stolen. Any official gateways from WooCommerce.com use tokenization instead of manually storing numbers. I've seen some 3rd party plugins that stored credit card numbers and I worry about those merchants. They could be liable for tens of thousands of dollars.
When it comes to accepting payment use some of the free options from WooCommerce.com (Ex. PayPal or Stripe) or get one of the paid payment gateways. It's better to be safe than sorry when it comes to online payment.