In January 2019, Google was fined €50 million for failing GDPR Compliance. French data protection watchdog, CNIL exercised power within its purview to fine Google for compliance failure. The watchdog is also acting on a case filed by non-profit organizations against Facebook. The watchdog agency believes Facebook is also in grave violation of regulations established by the European Union.
With players like Google and Facebook under scanner for potential violations, every business that stores user data or receives online payment needs to review their compliance. E-commerce is the fastest-growing global industry. Growing at an annual rate of 23%, the e-commerce industry’s user base is getting monumental. With such a huge audience base, online stores need to ensure that all users’ data including name, address, card details are protected from unauthorized access.
Why e-commerce is one of the prime targets of hackers?
Just like Fintech start-ups, e-commerce stores are also one of the prime targets of hackers because of the humongous cardholders’ data they store. In the United States and other European Countries, credit/debit card is the preferred mode of payment. The enormous pool of users relying on cards to buy things online has grabbed the eyeball of hackers.
Some of the other reasons why hackers are pursuing e-commerce stores so aggressively:
It is easier to run Phishing Campaigns: Phishing is one of the most effective ways of stealing data online. By creating a fake website and listing expensive products at an unbelievable price, they can get users to share their credit card details.
DDoS Attacks Work: A study found a “slowdown of just one second can cost Amazon loss of $1.6Billion in sales each year”, now imagine the plight online stores will go through if the site goes down for a day. DDoS stands for Distributed Denial of Service Attack and it is used to overload servers with more traffic than it can handle. By choking servers with more traffic than it can handle, hackers can ask for ransom.
Compliance is the way forward
The best way of tackling hackers and boosting confidence among users to shop without worries is to get compliant. By getting certified from various agencies that work to protect users from data breaches and identity theft, e-commerce stores can function under a safety blanket.
Some of the must-have compliances for e-commerce players include:
PCI DSS Certification
PCI DSS Council members like VISA, MasterCard and American Express have established a set of regulations that ensures the safety of cardholders’ data. Any business that stores, transfers or processes credit, debit or prepaid cards must get PCI DSS Certified.
By getting PCI DSS Compliant, businesses can offer customers the much-needed respite and experience a boost in online payments. Failing to furnish PCI DSS compliance can make companies liable for a fine of $5000-$100,000.
How PCI DSS protects the user’s data from unauthorized access?
Getting PCI DSS Certified is a tedious task that involves companies complying with the 12 commandments. The 12 requirements ensure that cardholders’ data is stored behind a protected wall. The certification also ensures that a proper log of anyone who accesses these data is maintained.
By limiting both internal as well as external personnel from accessing server rooms, PCI DSS Certification ensures that users’ data remains safe at all times.
Also Read: Your One-Stop Guide to Penetration Testing
Since e-commerce marketplaces have multiple reputed brands selling on their platform as sellers, ISO 27001 becomes a necessity. ISO 27001 Certification safeguards the right of privacy for corporations. The certification helps businesses protect the financial information, intellectual property and other important information like employee details of third-parties shared.
By getting ISO 27001 certified, e-commerce stores can encourage popular brands to get in business with them. This one certification can help e-commerce marketplaces expand their roots like never before.
How ISO 27001 protect sensitive data?
ISO 27001 relies on a systematic approach for managing sensitive information of third-parties involved. By enrolling in a rigid risk management process, ISO 27001 ensures that all data is protected from varied potential risks. ISO 27001 protects businesses of all shapes, sizes, and demography from external attacks.
General Data Protection Regulation is a set of norms established by the European Union to safeguard the interest of European citizens on the web. The regulation urges enterprises from around the world to inform European citizens about all the data they collect and the varied purpose they use it for.
The norm urges enterprises to furnish details of data collected on their websites. Every website must inform visitors that they are collecting data. GDPR became effective on 25th May 2018 and it was introduced to safeguard both businesses and users from unauthorized access of data.
HIPAA Compliance: Personal Protected Health Information
After lifestyle, electronics, and B2B, the next e-commerce unicorn will be from the medical sector. The increasing number of online stores offering home delivery of medicines at an affordable number has simplified lives. While the common people are rejoicing the newfound an alternative, governments from around the world are worried.
With private entities acquiring access to personal data of patients, governments worry that businesses will jeopardize people’s health for minimal profits. Since e-commerce stores rely on third-parties for storing users’ data, governments are further worried about getting these data accessed by the enemy of the state and using it as a tool to spread epidemic.
Health Insurance Portability and Accountability Act of 1996 encourages enterprises to take the following five steps:
- Data Encryption: All data created, received or transmitted related to the patient or their health must be 100% encrypted. Encryption ensures that data is accessed only by authorized personnel. Since decrypting requires a specified key, it ensures full security of users’ data.
- SSL: Secure Socket Layer is now the symbol of trust. Common men often look for green padlock when using their credit cards to pay online. This green padlock ensures that all information shared with this website is encrypted and transferred securely.
- Logging Use and Access to Data Records: Much like PCI DSS Compliance, HIPAA also sets responsibility and renders all possible internal sabotage attempts obsolete. By logging every move related to data records, it gets easier for enterprises to identify and secure point of breach.
- Minimizing the availability of secure data: With this step the government wants enterprises to store personal data of patients in a way that is inaccessible by external entities. This step involves tokenization, through which data is often replaced by symbols and numbers. Such tokenization makes it tough for hackers to decrypt and access the personal data of patients.
- Authentication and IP Blocking: Establishing an authentication process can make it easier for e-commerce stores to sabotage external attacks. IP Blocking can be leveraged as a paradigm to obstruct persistent attackers.
Some other compliances that are must for e-commerce companies include:
KYC: Know Your Customer compliance is one of the most discussed compliances. Countries from around the world are relying on this compliance to ensure that technology-based companies are not used for money laundering activities.
AML: A compliance designed specifically to sabotage any attempt of funding terrorism or trafficking. The compliance works in close-relation with KYC compliance to identify any suspicious transaction and report it immediately to the concerned department.
Email Protection: CAN-SPAM is designed to protect all email users. The compliance is designed to protect common people from adult advertisement and pornography stuff sent through email. Not abiding by the rule will invite a fine of $16,000 per violation.
The Internet was meant to simplify lives but dark elements have leveraged it to disrupt lives and economies. The growing threat on the web needs to be controlled to support economic growth and improving quality of life.
While the governments are doing their part by establishing regulations, it is the turn of enterprises to leverage the opportunity and build a safer world. Abiding by all compliances, companies can create an atmosphere where people can share data and use their cards without any worries.