- Technologies overview
- How to protect your customer’s data
- Security in Ecwid
When you launch your online store, security becomes a topical question. Online stores are a major target of hackers and fraudsters. It’s not surprising because e-commerce sites are the points where people leave their most sensitive information such as their names, addresses, and, of course, credit card details.
That’s why it’s so necessary to be sure that all data transfers in your store are processed in a completely secure way and can’t be accessed by violators.
So, what can you do to protect your customers? Let’s start from the overview of data security technologies which are used in the internet.
HTTPS (Hypertext Transfer Protocol Secure) is a protocol for secure communication over a computer network, with especially wide deployment on the Internet.
HTTPS provides authentication of the website and associated web server that one is communicating with, which protects against man-in-the-middle attacks.
Additionally, it provides bidirectional encryption of communications between a client and server, which protects against eavesdropping and tampering with and/or forging the contents of the communication. In practice, this provides a reasonable guarantee that one is communicating with precisely the website that one intended to communicate with (as opposed to an imposter), as well as ensuring that the contents of communications between the user and site cannot be read or forged by any third party.
The implementation of the HTTPS for the website requires purchasing the SSL certificate that should be installed on the website hosting side.
As soon as it’s implemented, the website will be able to be accessed through the HTTPS connection, and the visitors will see the padlock sign in their browsers and will be able to check the SSL certificate information.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards developed by Visa, MasterCard, American Express, Discover and JCB credit card brands. The standards aim at protecting all card holders and impose on all organizations (be it online or offline) who anyhow process or deal with credit cards. To put it simply, when a company wants to work with credit cards, it is to certify all its processes by these standards. Usually these are companies like payment processors (e.g., PayPal, Stripe, Authorize.net, etc), banks, e-commerce solutions which process credit cards.
Now that you have an understanding of the main internet security technologies, here’s how to use these technologies in practice.
First, you should make sure that the page where your customers specify their credit card credentials is run using the HTTPS connection, and that this data is transferred using encrypted protocol.
The credit card information of your customers shouldn’t be stored on your server neither at the moment of checkout nor after it’s done. To avoid the violation, this information should be transferred directly to the payment gateway using the encrypted connection.
Using of the address verification system is the standard of online payments. You should check if your payment processor uses this system to avoid fraud transactions.
In Ecwid your customers’ information is completely safe. Here you will find out what we do to protect your customers’ data.
Regardless of whether or not you have an SSL certificate for your site it’s important to know that Ecwid is launched using an HTTPS connection. You can always verify this by inspecting the Network session of your store.
In order to indicate that the checkout is secure, Ecwid shows a padlock image on its checkout page.
However, if you feel that your customers still have concerns and you would like the browser to indicate a secure website, we recommend making your website use HTTPS.
In order to do that, you need to perform the following steps:
- Purchase an SSL certificate
- Install it on your website (your web host can do it, however you need to have a dedicated IP address)
- Link to your store page
- Note: if you see this line in your integration code:
it will work correctly on HTTPS.
You can also add some additional seals or notes to your customers to show them that your checkout is secure.
Ecwid itself, and your store in particular, doesn’t deal with your customers’ credit card information. Ecwid doesn’t collect, store and process such data in any way.
Instead of that Ecwid supports a number of popular payment gateways. All of them can be divided into two main groups based on the way they interact with Ecwid.
Payments on the payment processor’s secure page
When a customer goes through the checkout, Ecwid sends the order information to the payment processor and then redirects the customer securely to the payment gateway’s website page — this is, where he or she specifies their credit card information. When the payment is done, the payment processor sends a callback containing payment status information to Ecwid. So, a customer’s payment information is processed completely on the payment processor side using a secure protocol and isn’t stored or collected by Ecwid in any way. If you setup the payment method in your Ecwid store, this provides a redirect from the store to payment page (for ex. PayPal). Such a page uses HTTPS, so your customers can feel confident in the security of their information.
Internal website payments via HTTPS
Some payment processors (e.g. Stripe) are integrated with Ecwid quite differently.
After adding shipping information to his or her order, the customer is not redirected to the payment processor page, but instead sees the payment form right on the checkout page of the store.
In this case Ecwid is working within a customer’s browser (i.e. payment information is not stored on the server where the site resides). It means that when a customer inputs their credit card information, the data is not transferred to the server where your website is stored. Ecwid connects straight to the payment gateway via a highly secure channel and sends a request with the data for the order. This information is not transferred to Ecwid servers, and is not stored or collected by us. The payment gateway performs all necessary operations with this data and returns a callback to Ecwid.
This solution was verified and approved by a Qualified Security Assessor (QSA) company.
We care about your security. That is why Ecwid is integrated only with secure and reliable payment gateways, which use AVS check and other verification technologies to avoid fraudulent payments and guarantee the safety of sensitive information.
Here you can find the full list of online payment options available in Ecwid: https://ecwidhelp.zendesk.com/hc/en-us/articles/207100429-Payment-options#WhatonlinepaymentmethodscanIuseinEcwid
Ecwid is PCI-DSS validated Level 1 Service Provider which is the gold standard for e-commerce solutions worldwide.
The security of your customers’ data is a topical question that you should care about when you run your online store. In order to protect your customers’ data, your online store should comply with these requirements:
- Use HTTPS connection for online checkout
- Don’t store sensitive data on the server
- Use address verification system to verify customers’ payment details
Using Ecwid, you can seamlessly comply with these requirements without any additional effort. All sensitive information is always transmitted via secure HTTPS channel. We don’t store sensitive data on our servers. We support only reliable payment gateways, which guarantee the security of transactions.
We take care of your customers’ data security concerns, so that you can focus on your business!