Perform regular PCI scans. PCI compliance is not a one-time thing. Staying compliant means performing regular checks to ensure your site is not vulnerable to hacking attempts. Check that your hosting partner or service provider is PCI compliant as well.
Make sure you have a DDoS protection and mitigation service. DDoS attacks are increasing in frequency and sophistication. Ecommerce sites should turn to DDoS protection and managed DNS services that have the capacity to handle proactive mitigation. Doing so can eliminate the need for significant investments in equipment, infrastructure and expertise.
Make sure you or whoever is hosting your site is backing it up - and has a disaster recovery plan. The good news is the cost of data storage has decreased dramatically. Data from multiple servers can be combined on a single storage device and you could benefit from backup/recovery solutions that are bundled into storage appliances. Back-up data needs to be secured with the same vigilance as your primary storage devices. Finally, ensure you or your hosting provider has a disaster recovery plan. A fully redundant, highly available architecture is more expensive, but it will ensure that your site remains online even in the event of an emergency.
Educate and train employees. With education on laws and policies related to customer security, you can prevent a possible cyber attack. Employees need to know they should never distribute sensitive data or reveal private customer information in chats or other insecure communication methods. Employees should be educated on fishing attempts or other means of fraudulently collecting data that would allow cyber criminals to access data.
Regularly test your e-commerce site for vulnerabilities. Consider hiring cybersecurity consultants or ethical hackers to identify any weaknesses. Penetration testing can reveal issues in your application, code or architecture and allow you to address them before they are exploited.
Mapping out a security plan on paper is a good start, but unless you test it periodically and ensure that it can be executed on demand, it is purely theoretical. Be sure to look for a trusted managed service provider that can offer you security-as-a-service, so that your team can stay focus on the core business, knowing that someone is proactively ruling out threats to your IT environment and keeping your company ahead of the pack.
Sign up for Computerworld eNewsletters.