With the recent announcement regarding the huge Equifax data breach, the world’s attention is focused once again on data security and data protection. The Equifax breach is one of the largest on record, but to be fair, Equifax is not alone. There have been a series of data and security breaches. Most are small, but all are cause for concern. The Identity Theft Resource Center has reported more than one thousand data breaches so far in 2017, with three and half months left to go!
In an age where information is currency, someone is always trying to pick your pocket.
Fighting off the forces of internet evil is a continual struggle. It requires consistent vigilance and a bit of technological savvy. With some eCommerce solutions – especially add-on or open source solutions – maintaining security can be problematic. One of the benefits of using a dedicated, professional eCommerce platform like Shopify is that they have a team of engineers who are responsible for staying on top of security issues online.
That said, it’s worth reviewing some of the security protocols already in place at Shopify and also touching base on some of the things you can do to ensure that your store data and customers stay safe. And some of those things will actual have the side benefit of improving your search rankings because Google is on a big security kick right now.
Let’s get to it.
What Shopify Does to Maintain eCommerce Data Security
The first thing that you learn when you are researching security issues online is that the nitty-gritty details of security – the types of firewalls used, the handshake protocols, etc. – are simply not released. This makes sense, right? The last thing that you want to advertise to a would-be thief is a complete listing of everything your did to stop him from entering your house.
But Shopify has been forthcoming with answers to user questions and basic details of their security setup. The first thing to know is that the Shopify Platform and network are PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS) was founded by all the big credit and payment card companies – American Express, Discover, JBC, MasterCard and Visa – to encourage companies to implement a standardized set of security measures to prevent fraud.
What this means is that – since the credit card companies are often on the hook for credit card fraud – they have a vested interest in helping keep the financial data safe. And they do a pretty good job of it.
What also helps is that Shopify doesn’t retain credit card or personal customer info from your eCommerce transactions. The data needed to authorize a transaction is passed directly through to the banks. So “hacking” in to the Shopify network just won’t pay off because there is nothing in there to get to. The transaction passes right through. Ultimately, your customers' credit card info is as safe as your payment processor’s systems.
In some cases – maybe even most cases – Shopify merchants use Shopify Payments. Since Shopify is not a bank, they are using a professional, third-party processing company to process payments. All this means is that – even if you are using Shopify Payments – credit card data is not being stored on your site or on Shopify’s computers.
What You Can Do
There should be nothing you need to do here at all. Even though no one can guarantee that nothing bad will ever happen, Shopify should have this under control. But if you are using a third-party payment processing company, you should ensure that they have their security house in order. You can read more about Shopify's PCI Compliance here.
The Kinds of Information Kept Inside Shopify
According to Shopify’s online documentation, your Shopify site retains basic order information. This includes their name, address, and email address. It also lists the product(s) purchased. If you have activated and set-up Customer Accounts, then it also retains the password that they use when they register for a customer account on your store.
When implemented, Shopify requires that customer passwords be at least five characters long – which is not too much by today’s standard. It allows the use of special characters, which is great. But since the information stored there is only name, address, and email (no financial info) it is likely secure enough. You can learn all about Shopify Customer Accounts in the online help.
What You Can Do
Even though Shopify requires only five characters for Customer Accounts, we recommend that your customers use eight-character passwords with special characters and numbers included. It’s an extra step, but every little bit helps.
Is Your Shopify eCommerce Store Safe From Other Kinds of Internet Attacks?
Sometimes people on the internet seem to just make trouble because they can. Two of the most common types of attack on all kinds of websites are Brute-force attacks and Distributed Denial of Service (DDoS) attacks. Shopify has protection measures in place for both of these.
Brute-force attacks are when someone writes a program that tries to login or otherwise gain access to a site by literally attempting to login thousands of times in a row. The most common type of Brute-force attack is called a Dictionary attack where the malicious attacker’s systems literally try all of the most common passwords and all of the most common words in the dictionary when trying to login. Fortunately, Shopify’s systems are protected by firewalls and other perimeter security measures that detect multiple login attempts and block them quickly.
In a DDoS attack, the bad guys set up multiple computers or devices all over the world and set them to access a website all at the same time – overloading a site's ability to respond to the data and making it unavailable. The most effective method to combat this kind of attack is by utilizing a Content Delivery Network (CDN) that not only makes your website load more quickly no matter where in the world a visitor is, but it also distributes DDoS attacks over hundreds of points. This means that Shopify stores are protected from all but the largest and most sophisticated kinds of DDoS attacks. You can read more about Shopify’s CDN network on the online help.
What You Need To Do
Again, Shopify seems to have this covered.
What You Can Do to Keep Your Shopify eCommerce Site and Data Safe
Your Shopify Passwords
Even though financial information is not kept (hosted) on your Shopify eCommerce site, malicious people can still make trouble. The most important thing that you can do is make sure that your password is very strong. It might surprise you to learn how easy it is to guess or use "social engineer" methods to guess passwords.
Remembering these stronger passwords can sometimes feel inconvenient. But it is definitely worth it. You can use a password vault service to create and store these more complicated passwords. And you should make certain that each person who has employee or admin access to your Shopify store is also using strong passwords.
In our opinion, at a minimum your admin passwords should be eight characters long and include letters – both upper and lower case – numbers, and special characters (things like !, @, #, $, etc.). An eight character password as I just described means that there are trillions of possible combinations. That's likely enough to convince a hacker to move on to an easier target.
Another important note about passwords is to never use the same password for more than one account. The reason is that the internet bad guys know that people tend to use the same password over and over again. Since we all have accounts all over the place – often pointing to the same email address – if you use the same password on a system that is less secure than Shopify and that system gets hacked, then the hacker might “guess” that you’ve used the same password in other places.
You can read Shopify’s recommendations on passwords and password vaults in the help files.
Enable Two-part Authentication in Shopify
In two-part authentication (sometimes called “two factor” or “two step” authentication), when you go to log in to your Shopify store you enter your email/user name and password just like usual. But then the Shopify security servers send you an SMS text message to your phone or to an app that you install on your computer or mobile device. This SMS message will display an extra code that you enter into the login screen to gain access.
We are big fans of two-part authentication, and Shopify has made it available to all Shopify store merchants. If you configure your Shopify to require two-part authentication, then even if your email address and password are somehow exposed, the bad guys would also have to have physical access to your cell phone or computer to log in. That’s why two-part authentication is very popular with all of the big online merchants and payment gateways right now, including Apple, Amazon, Microsoft, and many more. The combination of strong passwords with two-part authentication simply makes website admin access about as secure as you can get with the current state of internet technology.
You can learn how to set up two-part authentication in these help files. But if you need help, just let us know.
Implement an SSL Certificate for Your Shopify Online Store
SSL stand for “Secure Socket Layer” security. We don’t need to get into the technical weeds here, you just need to know that it is a basic security method that protects you and you site visitors by encrypting the data flow between your Shopify online store and your customer. Website visitors can see green text displayed in the URL so they know that their info is being protected, and that builds confidence. We think this is super important – and not just for security. It’s important for your marketing and search as well.
A few years ago, Google started giving extra search ranking to website that used SSL. Then, late last year, Google announced that they were going to actually penalize websites in search ranking if they didn't implement SSL. And now, Google Chrome actively warns site visitors if they go to a website that is now protected by SSL by telling them that the site is “Not Secure.” You don’t want that kind of messaging, especially with all the news about data security right now.
These days, getting an SSL certificate is easier than ever before. Everyone can even get a real, professional SSL certificate for no cost. Shopify has joined with other tech industry companies to sponsor the free LetsEncrypt service. Shopify is tied into this service and will acquire a free SSL certificate for your site if you implement it.
There are some things to consider, such as if your Shopify store is calling images or media from external sources. But we believe that it is super-important for security and marketing, so it's worth the effort. You can read about SSL certificates in the Shopify help files. But if you need help, just let us know.
Keep Your Shopify Store Data Safe and Secure
Shopify takes care of all the heavy-lifting to keep your eCommerce store data safe and secure. But there are some things that you can do to make sure that you don’t have a problem. If you have any questions about your Shopify store security or need help implementing the recommendations, just start a task and let us know.
If you have read this article and it convinced you that Shopify is the right solution for your online business, use this link to sign up for Shopify now and get started. And if you know a Shopify store owner, share thise post with them so that they can keep their data safe too.Thanks for reading!