DA5. ECommerce Applications

Statement

Now that you have learned about e-commerce, answer the questions below:

1. What are the best security practices online when accepting electronic payments?
2. How can e-commerce website administrators stay up to date with electronic payment regulations and laws as they change?
3. What are some security measures that an e-commerce website administrator implement to ensure that an online payment site is being protected from hackers, phishing, and malware?

Answer

What are the best security practices online when accepting electronic payments?

• Accepting electronic payments is a vague term. it may mean user’s best practices when making payments online, or it may mean the best practices for the website administrator when accepting payments online.
• Each one of these two scenarios has different best practices, I will discuss each one of them separately.

Best practices to accept payment online for users (who making the purchase, aka. paying the money)

• Use a secure browser.
• Use a third party payment gateway, when possible, eg. Paypal, Apple Pay, Google Pay, etc: these payment gateways are secure, and they have built-in security features to protect users from malicious websites, also, they are updated regularly to fix security vulnerabilities and hide your credit card information from the merchant.
• Ensure that the website is secure, by checking the URL, and the lock icon in the address bar.
• Be careful when entering your credit card information, make sure that you are on the correct website. (eg. if you are on Amazon, make sure that you are on Amazon, and not on a phishing website that looks like Amazon).
• Avoid using public computers or public networks to make payments online.
• Avoid making payments on mobile applications that are not very popular, use browser instead.
• And many more, you can find more best practices here.

Best practices to accept payment online for merchants (who receiving the purchase, aka. receiving the money)

• Keep your payment system up to date.
• Make sure you have a valid SSL certificate.
• Avoid building your own payment system, use a third party payment gateway instead.
• Avoid storing credit card information on your servers.
• Make sure that your system supports all available payment methods, and third party payment gateways, eg. Paypal, Apple Pay, Google Pay, etc.
• Use only secure third party systems.
• Avoid using public computers or public networks when accessing your payment system.
• Avoid using public computers or network when setting up your payment system.
• Always make sure that the system stores users and their orders securely, to properly resolve disputes.
• And many more, you can find more best practices here.

How can e-commerce website administrators stay up to date with electronic payment regulations and laws as they change?

• Electronic payment regulations and laws are changing all the time, and it is very hard to keep up with them; it is almost an impossible task for small or medium sized businesses.
• The best solution is to use a third party payment gateway, eg. Paypal, Apple Pay, Google Pay, Stripe, GoCardLess, etc.
• These payments gateways are designed to handle all the regulations and laws, and they are in close contact with the regulators up to per-country level.

What are some security measures that an e-commerce website administrator implement to ensure that an online payment site is being protected from hackers, phishing, and malware?

• It is rare that a website administrator will implement all of these security measures, but it is good to know about them.
• Some useful security measures are:
  • Limit Access control:
    • Only allow access to the payment system to authorized users.
    • Only registered users with accounts can enter the checkout page, or place an order.
  • Install a FireWall on the server:
    • Use a firewall to protect the server from unauthorized access.
    • Bad actors will keep trying to gain access with no or wrong credentials.
    • Firewalls can be used to block these attempts.
    • Firewalls usually placed at the edge of the network, where the internet connects to the network.
  • Encryption And signing:
    • Encrypt all data that is sent -or received- over the internet.
    • This is to prevent bad actors from reading the data.
    • All browsers nowadays support encryption by default.
    • Your server must have a valid SSL certificate that is signed by a trusted certificate authority.
    • The SSl public part of the certificate must be sent to the client, so that client can encrypt requests properly.
    • Server can decrypt the requests using the private part of the certificate.

References

• Watson, R. T., Berthon, T., Pitt, L. F., & Zinkhan, G. M. (n.d.). Electronic commerce: The strategic perspective. Retrieved from https://opentextbc.ca/electroniccommerce/chapter/electronic-commerce-technology/
• PayPal. (n.d.). One checkout solution. Many ways to pay. Retrieved from https://www.paypal.com/us/business/accept-payments/checkout