Maintaining Data Security in E-Commerce Goes Far Beyond PCI Compliance
By Glenn Goldberg
E-commerce merchants are understandably giddy as the Holiday season approaches. According to estimates published by Deloitte, online sales are projected to reach a staggering $259 billion between September 2024 and January 2025, up a healthy nine percent over the previous year.
Unfortunately, the Holidays are just as lucrative for the legions of bad actors who use the season as an opportunity to initiate attacks, steal data, and throw the financial health of both businesses and consumers into havoc. The surge in web traffic—especially leading up to and following December 2, Cyber Monday—is considered good hunting for cybercriminals who have become increasingly sophisticated and brazen in their efforts to obtain sensitive data. This is increasingly true for e-commerce providers that keep their data in the cloud. ATOs (Account Takeover Attacks) and ransomware are two of the most prevalent cyberthreats affecting these merchants. The damage resulting from a data breach can be cataclysmic for the retailers, along with customers.
“A data breach certainly has liability implications for the merchant, but it also eliminates consumer trust, which itself has a far-reaching effect,” says Bill Clark, Chief Executive Officer for Strux Systems, a Phoenix-based payments consulting firm. “Loyal customers and repeat business are the lifeblood of e-commerce, and any impediment to this dynamic is extremely difficult to overcome.”
The Stored Data Conundrum
E-commerce merchants have some good frameworks in place to protect data, such as PCI (Payment Card Industry) requirements, which dictate how payment card information can be securely stored and transmitted for the transaction. However, beyond this transactional data exists a treasure trove of information that merchants regularly gather and analyze. Mapping the customer journey, clicks, items saved for later or abandoned, and purchase history all provide merchants with insights for further tailored marketing and loyalty offers. This larger pool of data may not be as carefully managed as PCI data.
Some of the biggest security challenges occur when such data is stored in the cloud, where there is a natural tendency to assume that data at rest remains clean and secure. The reality is far different, explains Rich Vorwaller, Chief Product Officer for Cloud Storage Security (www.cloudstoragesecurity.com), a provider of advanced threat detection and data loss prevention solutions for enterprises.
“The natural tendency among retailers has been to focus on protecting data in motion during a transaction and assume that stored data remains safe because nothing is interacting with that data,” explains Vorwaller. “But this isn’t the case at all. Modern malware has evolved to the point where it can remain dormant for long periods of time until someone needs a backup, access to archival data, or worse ,the malware performs some kind of reconnaissance which causes all kinds of problems.”
As Vorwaller explains, e-commerce merchants manage multiple data points, including PII (Personally Identifiable Information), which can contain vital information like addresses, dates of birth, and social security numbers. There are also other datasets that have business value, such as service backups, software development pipelines, and images. All this data is attractive to cyber criminals because it potentially introduces new vehicles to extort money from customers and businesses.
“Cloud storage is dependable, but not impenetrable, especially today since we see constant re-engineering of malware and ransomware,” notes Vorwaller. “Assuming that stored data is inherently safe or that cloud providers are completely securing the data have become root causes for some of the breaches occurring in the e-commerce space.”
Multiple Scanning Engines
One way for merchants to safeguard essential data is to rely on cybersecurity solutions that utilize multiple scanning engines, which have their own evolving definitions and parameters for detecting new threats. This creates a defense in depth (DiD) strategy where e-commerce merchants can insulate stored data from breaches and extortions.
“The pace of cyberthreats has accelerated to the point where a single scanning engine can’t be expected to detect all threats that try to compromise datastores,” says Vorwaller. “By utilizing multiple engines, a merchant has a higher probability for detecting all threats and protecting all forms of data.”
Vorwaller also says that modern data protection technology should recognize threats at the data layer, which is the actual payload, and the control layer, which defines how users and services interact with data).
“E-commerce, or any other industry that relies on cloud storage, must always think about data security in two approaches: where is stored and which persons and services have access to it. Their businesses—and their reputations—depend heavily on protecting sensitive data from both vectors.”