David Baier, Managing Partner, of leading digital agency Crimson Agility recently joined me for a podcast to discuss security at the edge and technology imperatives of modern commerce applications. You can hear the full session here, otherwise here’s a quick summary of what transpired. Our interaction was moderated by Nemea Bougan, Sales Executive and Partnerships Manager, Crimson Agility.
What are some of the things a merchant needs to consider to ensure their site is secure?
David: There is a common misperception that security is all about “the software”. In today’s technology stack, there are several layers of security, all of which need to be addressed – hardware, network, operating system, database, applications, processes, and people. This is undoubtedly daunting and complex. That’s why larger companies now employ a Chief Security Officer and a team to help manage their security risk and liabilities. Smaller organizations employ professional partners to help manage their infrastructure and security concerns. Working with professional and capable partners like Webscale and Crimson Agility is important to ensure your site remains secure from present and future threats. We invest in technology to closely monitor threats, as well as constant training, commitment to best practices, and working with great partners.
Adrian: These days, your digital presence has multiple endpoints where users can enter your storefront. This increases the overall attack surface where a vulnerability can be exposed. It’s less about knowing what to consider for security and more about working with experts to proactively manage it for you.
Webscale recently refreshed its website, with a new positioning around “Modern Commerce.” What is Modern Commerce, and how should ecommerce merchants prepare for it?
Adrian: Our place in Modern Commerce is about doubling down with a dedicated focus on user experience. The traditional methods of “hosting” an application are quickly becoming outdated. Nowadays, we have to think about front end management and delivery separately from back end application management. Core Web Vitals, for instance, requires storefronts to deliver on metrics that define a great customer experience. Failing to do so will result in a brand being demoted in their search rankings. Focusing on delivering assets as close to the user as possible, along with other features at the edge, substantially reduces transfer time. Again, the traditional methods of racking a server or basic management of an application on a private cloud environment doesn’t cut it. Merchants want, and need, more in terms of edge delivery and security.
What are the top security threats in the ecommerce industry today?
Adrian: Credit Card Fraud, DDoS, Malware, Bots…There is plenty of research to show that automated bots represent more than half of all internet traffic. Many of them are disguised as real users and can be difficult to detect, but again, meeting these threats at the edge is crucial to securing your storefront from an intrusion. In ecommerce, any level of exposure can present a PCI-compliance problem which can have an immediate impact on your ability to process credit cards. The check-in and review process must include a security angle to look for malware in your deployment, so that you are not introducing a security threat into production. A close working relationship between the application development team and cloud delivery team is key to building a defense from the edge to the back end.
How does Magento stack up against the requirements of PCI-compliance?
David: To do business online successfully, merchants must prioritize the safety and security of their customers’ sensitive information. PCI-compliance is one of the steps to reassure your customers and financial partners. It is important, and required, by most financial institutions, but is not achieved solely by using any one platform. Magento aligns with security best practices and meets the platform requirements for PCI-compliance. In addition to the platform, the other elements of PCI-compliance include physical security, infrastructure, and good policies.
What risks and liabilities arise if an ecommerce business is not PCI compliant?
David: If you don’t comply with PCI, you may be liable for a significant monetary penalty imposed by your credit card providers. This penalty can be significant, and is an additional monthly expense. While PCI-compliance doesn’t guarantee you’ll never face a data breach, it does reduce the fines you may owe in the event it happens. Damaged reputation and resultant revenue loss are certain to impact your bottom line.
How do we handle critical security emergencies for clients, like data breaches and denial-of-service attacks?
David: Simple, we prevent them. We do this by ensuring our clients are hosted with a trust-worthy and capable hosting partner, like Webscale. We provide consulting and guidance to our clients and prospective clients to ensure they know what’s important from a people and processes stand point. We conduct weekly security scans, and quarterly security assessments. Any required remediation is reviewed with our clients and addressed immediately.
We mostly have non-clients seeking help who come to us after a breach. We identify the source of the breech (shut the site down to avoid further loss if necessary), create back-ups for forensic purposes, isolate and eliminate the source of the breach or malicious activity, bring the site back online, and research the scope of the loss and advise the client on appropriate next steps – there are obligations to notify customers impacted.
Many of our clients are asked to complete a PCI Audit by their credit card processors or financial partners. This can result in better rates on credit card processing fees. Crimson Agility along with Webscale can provide confidence in addressing many of the requirements and questions from auditors.
For merchants, what are the best ways to make customers feel secure and confident purchasing from their site?
David: In a recent survey, most shoppers indicated that an ecommerce site that appears well-maintained and professional instills confidence and credibility. They are more likely to feel good about using their credit card on that site. Of course you want to ensure your site has all the visual cues of security like the little lock in your browser indicating that SSL is enabled providing encryption of data. There are also third-party services that can insure your customers against fraudulent transactions and these provide badges that provide additional confidence to customers. Make sure you display a phone number and provide online chat services for customers – this is important to a majority of customers and enhances customer confidence before purchasing from your site.
How does the Crimson Agility – Webscale partnership work?
Adrian: We have what we call the Triangle of Support, with Webscale, our digital agency partner and joint customer at each point, working together for a successful go-live event, or ongoing management, or support of an incident. In fact, our teams work closely right from pre-sales to sales, provisioning to code deployment, client acceptance to pre-live, go-live and customer success.
David: We have many joint customers and work closely in real-time. We have processes in place and perfect alignment. To add a note of caution, freelancers may be knowledgeable but security is not a one-off activity. It’s an ongoing priority, requiring technology, expertise and commitment. We can invest in this because we have multiple customers and scale of operations, and hence are best prepared to act fast in the event of an incident.