eCommerce sites often deal with sensitive customer data like credit card details, home addresses, and bank details. This private information is a goldmine for malicious actors who can use such details to commit fraudulent activities. Hence, eCommerce sites are susceptible to attacks such as hacking, phishing, and cross-site scripting, which put shopper data at risk. This means that eCommerce merchants have a responsibility to protect their customers’ data against security issues.
Why Security and Privacy Matters
Data protection and eCommerce security issues have been in the limelight for the past few years. Numerous companies from an array of fields have reported data breaches, with Adobe, eBay, and Marriott International experiencing some of the biggest data compromisations of the 21st century.
These high-profile incidents have caused consumer trust levels to plummet, with a recent survey by McKinsey revealing that only 10% to 20% of consumers have confidence in the security of their personal data across various industries. Additionally, 87% of consumers will not do business with a company if they have concerns over their security practices.
Common security threats that eCommerce sites are in danger of are:
- Credit card fraud: customer credit card information can be intercepted and used by fraudsters. Conversely, stolen credit cards may be used to make purchases on eCommerce sites.
- Phishing: these are messages or emails from hackers posing as a reputable company, aiming to steal or gain access to personal data.
- Spamming: this is when infected links are sent via email, social media inboxes, comments, or instant message with the aim to infect a computer with malware
Governments have long known the dangers posed to consumers by websites that handle personal information. As a result, there are a number of regulations in place globally that online businesses need to abide by in order to best protect customer data. If these rules are not followed, not only will companies risk losing customers due to lack of trust, they will also incur hefty fines.
As eCommerce merchants usually have customers from different parts of the world, it is vital to have an understanding of the regulations your business is subject to.
Regulations Online Merchants Need to Know
Payment Card Industry Data Security Standards (PCI DSS)
If you accept card payments, these standards may apply to you.
One of the most obvious threats to customers using online stores is credit card fraud. PCI DSS was, thereby, created to increase controls around cardholder data and decrease credit card fraud globally. To achieve this, PCI DSS formulated six goals, each one attached to requirements card-accepting businesses should meet.
There are twelve requirements eCommerce merchants around the world that accept card payments need to meet. (Source: PCI Security Standards)
It is important to note that these are standards, rather than a law. The compliance with them is mandated by the contracts merchants sign with card brands like Visa and Mastercard. For most eCommerce merchants, these standards become mandatory in retrospect. If a data breach occurs that can be attributed to a failure to implement the standards, the merchant will be subject to a fine or sanction.
General Data Protection Regulation (GDPR)
This regulation covers data and privacy protection for all citizens in the European Union and European Economic Area. Businesses that operate outside of these areas, but serve customers from the EU and EEA are subject to this regulation. Failure to adhere to GDPR can result in a hefty fine of up to 20 million euros or 4% of a company’s annual turnover.
GDPR is built around seven principles which aim to give European citizens greater ownership and control of their data, as well as placing limits on what organizations can do with personal data. The seven principles are:
- Lawfulness, Fairness, and Transparency: this entails letting users know what they are signing up to when they give over their personal information. Businesses must use clear, simple, and accurate language to inform customers of what their data is subject to.
- Purpose limitation: this stipulates that a customer’s data will not be used for purposes other than what was originally stated.
- Data minimization: this principle aims to prevent businesses from hoarding data without a clear reason. The amount of data collected is limited and relevant to the intended purpose it was attained for.
- Accuracy: information presented to customers regarding the collection of their data should be accurate. This principle places the responsibility of updating or removing incorrect information on the organization.
- Storage limitation: with this principle companies are prevented from holding onto customer data for an indefinite period of time. Once the data has been used for its intended purpose, it may no longer be stored.
- Integrity and Confidentiality: formerly known as the security principle, the integrity, and confidentiality of personal data must be upheld through the use of appropriate technological and physical controls. This means that customer data must be secure.
- Accountability: the final principle requires businesses to be responsible for the personal data being handled and their compliance with the other six principles. This compliance can be shown with appropriate measures and records.
Furthermore, businesses have a 72-hour window in which they must report a personal data breach to the Information Commissioner’s Office otherwise they could face a fine.
UK Data Protection Act
Now that the UK has left the European Union, they are not subject to the GDPR. However, the UK has adopted a new domestic privacy law called UK-GDPR which is exactly the same as the EU version and is supported by the UK Data Protection Act of 2018.
The UK Data Protection Act gives its citizens the right to:
- Be informed of how their data is being used
- Access personal data
- Have data erased
- Stop or restrict the processing of their data
- Object to how their data is used in certain circumstances
- Get and reuse their personal data for different services
Personal Information Protection and Electronic Documents Act (PIPEDA)
This piece of legislation applies to organizations that collect, use or disclose the personal information of Canadian citizens during commercial activities.
PIPEDA calls for businesses to adhere to the following:
- Accountability: the organization is responsible for the data it holds of Canadian citizens. The company must appoint someone whose role is to ensure that the business complies to Canada’s data protection law.
- Consent: in order to collect, use or disclose personal information, the user’s permission must be obtained.
- Limiting of data collection: information should be collected in a fair and lawful way, limited to only the data needed for the purpose identified by the business.
In addition to following the above requirements, should there be any breaches to the safeguarding of Canadian citizens’ personal data, the Privacy Commissioner of Canada must be notified.
US Privacy Laws
Unlike the EU, the US does not have a central federal-level privacy law. What they do have are several industry-focused federal privacy laws and consumer-orientated privacy laws enforced on a state-by-state basis.
The US has four federal laws that govern how companies in different fields handle their citizens’ personal data. (Source: Varonis)
- US Privacy Act of 1974: this is to do with data held by government agencies. It gives US citizens the right to access and obtain a copy of their data, the right to correct data, places restrictions on what entities can access the data and in which circumstance, and requires agencies to follow data minimization principles.
- GLBA: this protects any information collected from US citizens with the aim to provide a financial product or service. This is primarily applied to banking and insurance companies who must ensure that consumers are aware of the information being collected and shared, along with opt-out instructions.
- HIPAA: this legislation regulates health insurance providers. It states that health care providers may use patient data if it’s related to treatment, payment, and health care operations. Should a health care provider wish to use data for marketing or selling purposes, they must get the patient’s permission.
- COPPA: this prohibits online businesses from asking children under the age of 12 for their personal information unless parental consent is obtained and verified. This includes email addresses, screen names, street-level geo-coordinates, photographs, and audio files.
Most of these federal laws will not apply to eCommerce merchants, which is why some states have adopted their own laws to protect consumer data. Notably, the state of California passed legislation in 2018 that gives their occupants greater rights over the personal data being used by various online entities. Rhode Island and Utah implemented similar laws, requiring companies to adopt, implement and maintain reasonable security procedures. The way in which to do so however is not as clear-cut as California’s law.
Multiple states aim to follow the same suit as California, so it is a good idea to have an understanding of what the law entails.
To summarize, California Consumer Privacy Act (CCPA) gives Californians the right to demand to see all the information a company has stored on them and a list of third parties that their data has been shared with. If a resident requests access to this, businesses have 45 days to provide them with the information. Residents should also be allowed to opt-out of third-party sharing. If a company fails to follow the guidelines, the consumer has the right to sue them. This applies to businesses based anywhere in the world.
A list of US states aiming to pass well-rounded consumer data protection laws. With the exception of California, all legislation is pending. (Source: Varonis)
How to Comply with Regulations and Secure Your Site
With so many rules and regulations, you must be wondering whether your site complies with these standards. Fortunately for Shopify merchants, Shopify has taken steps to ensure it adheres to the majority of these requirements.
The data stored on Shopify is very minimal, this is great as almost all of the regulations deem it necessary for online commercial companies to practice data minimization. Additionally, Shopify is already PCI DSS compliant.
The growing e-Commerce platform also implements basic password protection with two-step authentication, which helps to prevent phishing attacks.
The integrated encryption between user browsers viewing your store and your store’s servers is another plus as this prevents users from having their data stolen. Shopify does not allow older encryptions - namely, TLS 1.0 and 1.1 - to access their servers as they are more vulnerable to cyber-attacks.
Despite the protocols that already exist within the SaaS solution, there are other actions e-merchants can take in order to make their store as secure as possible, as well as making it easier for customer data to be shared with a customer should they ask for it.
Know how to process data requests
All of the above regulations give consumers the right to access the information eCommerce merchants store on them. So, should you receive a request, it is crucial that you understand how to obtain and send customer data.
The first step is to verify that the request is coming from the customer in question. Ask for proof of identity to be sent with the omission of sensitive data points like passport numbers. Once this is verified, from your Shopify admin page, click Customers, click on the name of the customer, and finally select Request customer data. An email will then be sent to the store owner containing the requested information. This action can only be completed by the store owner.
For more detailed information on processing data requests and erasure requests, head to this article.
To ensure that you are protected from hacking attempts, it is vital to have a secure, hard-to-guess password. To achieve this you should create passwords that are a mixture of upper and lowercase letters, include special characters like “@” or “%”, and numbers.
In order to limit access to sensitive information, you should make use of Shopify accounts. You can create accounts for each member of staff to access your Shopify admin page without enabling them to view your customers’ personal data.
This limitation of access will also work to minimize the likelihood of hackers obtaining sensitive data as each individual staff member’s computer could be susceptible to a cyber attack.
Terms & conditions
If you use customer data for marketing purposes or during the checkout process, you must inform your customers of this and allow them to explicitly agree to their data being used for this reason.
On pages with submission forms, be sure to include a link to a document that states exactly how their data will be used. Do not allow customers to hit submit unless they have checked a box to indicate that they have read, understood how their data will be used, and agreed to it being used for the stated purpose.
Shopify has a free Terms & Conditions Generator that you can use to create terms and conditions that use clear, easily understood language, completely protecting your website, company, and customers.
Protect your API keys
If you hire a Shopify developer to customize a tool for your site, ensure that the code you provide to the developer does not include your API keys as these are equivalent to your password. Disclosing your API keys could give an attacker access to your admin page, which would allow them to take over your site and expose all of your store’s data.
By installing TrustedSite and gaining TrustedSite Certification, you can show visitors that your site is safe. The app will run weekly scans that check for malicious links and malware, ensure that the site is not compromised, and check that the site is not blacklisted by Google. On top of this, TrustedSite offers your customers protection against identity theft for 90 days after their purchase for up to $100,000 in losses.
Train your staff
If your staff members have access to your Shopify admin page or handle any customer data, it is crucial to inform them of the importance of protecting data and how to avoid hacking attempts.
Make sure they know the hallmarks of phishing emails which include suspicious attachments, .exe files, grammatical errors, and links urging them to provide or update their password.
This phishing email looks pretty legitimate, however, the red flags are the suspicious-looking email address which does not use PayPal’s domain together with a call to input credentials. (Source: We Live Security)
Encourage your employees to use trusted email platforms like Google as it uses intelligent spam filters. Ensure they know the dangers of sharing passwords and forbid them from sharing their Shopify passwords with anyone via any means.
Always alert customers of data breaches
Should your store fall victim to a cyberattack, notify your customers immediately. The regulations set out by governments around the world require you to do this within a given timeframe, so to be on the safe side it’s best to inform your customers within the first 24hrs. Also, notify the appropriate authorities in this timeframe.
Cybersecurity is a key area of concern for eCommerce merchants and online consumers. As eCommerce activities require the collection and use of personal customer information, merchants should be vigilant and advocate for air-tight security. In doing so, eCommerce merchants can increase customer trust and alleviate the worries many consumers have, forming long-lasting customer relationships.