E-commerce security: cyber threat protection for your business and customers

Back to glossary

What is e-commerce security?

E-commerce security is the collection of tools and techniques used to protect online stores. The goal is to safeguard the information used by individuals and businesses to buy and sell goods and services on the web. Digital businesses increasingly store sensitive information in user accounts, such as names, credit card numbers and addresses for faster checkout. In order to keep customer confidence and comply with regulations, merchants must enable security measures to prevent the criminal theft, validation and fraudulent use of consumers’ identity, account and payment information when they shop online. The basic elements of e-commerce security include the following:

  • Privacy: Privacy means not allowing the sharing of customer data, including login credentials, credit card or gift card data and other personally identifiable information (PII). This can involve keeping consumer information behind firewalls, using an encrypted connection when receiving or transmitting users’ financial information, and encrypting any stored PII — and ensuring that any third-party API or app with access to the data is doing the same.
  • Integrity: Integrity is ensuring that customers’ information is never altered or changed without their consent. Businesses can do this by identifying where sensitive personal information is stored and restricting who can access it. Then, they can log any access or changes and roll back if necessary.
  • Authentication: Authentication requires that both the seller and the buyer are real and that they are as they present. The business must be genuine and provide what it says it will provide. Customers must be who they say they are in order to engage and make legitimate transactions on the site. This often requires users to prove their identity using methods like login credentials, card PINs and biometric data.
  • Non-repudiation: Non-repudiation is a legal principle stating that neither buyers or sellers can deny their part in a transaction. This involves confirming that any communication between a buyer and seller was received by both parties, so that the transaction can’t be denied. Signatures, emails and receipts are some examples of confirmation approaches.

What are common security issues facing e-commerce websites?

As online shopping grows in popularity, cybercrime against e-commerce businesses is also on the rise. Bot attacks against online merchants are up 102% year-over-year, despite a decrease in legitimate traffic. Since over 99% of websites rely on third-party code, these sites are also at risk of client-side supply chain attacks.

One kind of attack fuels another: a digital skimming attack on Site A generates the information used in a credential stuffing attack on Site B. This propagates and prolongs an attack lifecycle that hits consumers everywhere along their digital journey — and e-commerce web apps are a prime target.

Here are some common types of cyberattacks:

  • Carding: Bots test stolen credit and debit card numbers by making small e-commerce purchases. Once cards are determined to be valid, they can be used to make larger purchases or sold on the dark web.
  • Credential stuffing: Bots test stolen login credentials on e-commerce sites to see if they are valid. If so, they can be used in an account takeover attack or sold on the dark web.
  • Account takeover (ATO): Fraudsters use stolen usernames and passwords to get unauthorized access to user accounts. Once they have control of accounts, they can make fraudulent purchases, spend gift card balances and drain loyalty points.
  • Scalping and inventory hoarding: Bots purchase large amounts of high-demand goods, usually during a flash sale, and resell them on third-party sites.
  • Web scraping: Competitors use bots to scrape content and information about your product line from your e-commerce site. This gives them a competitive advantage and can also damage SEO rankings.
  • Digital skimming and Magecart: Cybercriminals inject malicious code into vulnerable client-side JavaScript to steal payment data from buyers. This can be used to make fraudulent purchases or sold on the dark web.
  • PII harvesting and formjacking: Attackers manipulate vulnerable client-side code to exfiltrate users’ PII, including social security numbers, login credentials, PINs and addresses. Such data can fuel online fraud and account takeovers.

Why do e-commerce issues need to be resolved?

E-commerce security issues can cause several problems for website owners.

  • Loss of revenue: E-commerce businesses must refund customers for fraudulent purchases made on their account and replace lost merchandise. This costs merchants up to $3.60 for every $1 in fraudulent purchases. In addition, bot traffic can drive lower conversion for actual human customers by slowing website performance and locking buyers out of their accounts.
  • Brand reputation damage: If your e-commerce business suffers a major attack, it could tarnish your brand reputation and negatively impact consumer trust. This goes for past customers who may choose not to return to your store, as well as potential customers who may see bad press and decide to use a competitor instead. Almost 60% of consumers won’t buy from a company that has experienced a data breach in the past year, even if they have been longtime customers.
  • Burden on internal resources: Bot traffic taxes your infrastructure and raises your cost for bandwidth. Battling bots requires security and IT teams to reconfigure cloud services, dial bandwidth up and down, tweak firewall configurations and server capacity, and create special scripts. Research estimates that 75-80% of e-commerce operational costs are negatively impacted by malicious bots. That equates to 18-23% of net revenue. And if customers face issues due to bot traffic, they will likely require more customer support resources.
  • Lawsuits and regulatory fines: Data privacy regulations — including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Act (CPRA) — serve hefty fines to online businesses that fail to safeguard consumer data. Furthermore, consumers can file lawsuits against companies who leave them vulnerable to identity theft. British Airways was fined nearly $25 million due to a GDPR violation, and Dunkin’ Brands, Inc. paid $650,000 in a lawsuit as a result of a credential stuffing attack on its site.

How does HUMAN protect e-commerce websites?

The Human Defense Platform is a suite of cloud-native products and services that detect and stop the abuse of identity and account information on the web. Some of the most well-known e-commerce brands rely on HUMAN e-commerce solutions to secure their sites against sophisticated bot attacks, client-side threats, and account abuse. This reduces your risk of fraud, protecting revenue, reputation and operational efficiency.

Carding: what it is and how to prevent it

What are denial of inventory and scalping attacks? | Detection & prevention

What is credential stuffing? | Definition, attack types, & solutions

What is PCI DSS compliance? | Requirements & how to comply

What does CAPTCHA mean? | How CAPTCHAs work