Consumers and emerchants alike enjoy the many advantages of buying and selling online, but with hackers getting smarter and more industrious by the day, security is something that’s on everyone’s mind. Recent statistics reveal that consumers are becoming increasingly hesitant to buy from Internet shopping sites. According to the 2008 Pew Internet and American Life Project, 75 percent of survey participants said that they don't like giving out personal information, like a credit card number, over the Internet. The 2008 Digital Future Project conducted by the Annenberg School of Communication at the University of Southern California revealed that all respondents reported concerns about the privacy of their personal information when or if they buy on the Internet.

While ecommerce businesses are experts at marketing and promoting the goods they specialize in, they’re not necessarily security experts. What is the track record of most ecommerce businesses? Are they doing enough, or are they falling short?

That depends on who you ask. The security researchers say “no, they’re still falling short.” The Payment Card Industry (PCI) Standards Council says that larger merchants are making an effort, but smaller merchants are missing the mark. And from the merchants, you might get anything from a quizzical “Huh?” to a resounding “Yes!”

No doubt a majority of ebusinesses want to be secure, but not all of them know how, nor do they have time to handle security issues. They’re in the business of selling products, not security. A major issue is lack of security-focused skills and resources. And, of course, IT professionals who work for retailers never seem to have enough time to dedicate to security. A third reason is that some online retailers frequently (and incorrectly) assume that their web hosts are responsible for security.

Not all trustmarks are created equal
One way ecommerce businesses can show shoppers that they are serious about security is to display a trustmark or certification. It’s really the easiest way anyone can know whether a shopping site is truly concerned about security. Let’s take a look at some of the certifications you commonly see on popular online commerce venues:

• Verisign certificate—When you see this certification logo on an ecommerce site, it means that the business paid a fee a digital certificate, which guarantees that personal information, such as credit card numbers, are encrypted when they travel from your computer to the server. But encryption doesn’t stop Internet fraudsters, who can still hack into the public ecommerce site and steal not just one credit card number along the way, but an entire database of credit card numbers. So while data encryption is a necessary and worthy bit of ecommerce security, it’s not an all-inclusive solution by any stretch.
• Better Business Bureau (BBB)—This respected consumer advocacy group, known for protecting people against unscrupulous business practices, has moved into the online world. The BBB seal means that the ecommerce business has met certain standards and pledges to respond to complaints and make a good faith effort to resolve these in accordance with accepted good business practices. The seal assures consumers that they have an advocate if there’s a problem with the online transaction. While this gives consumers recourse if they feel they have been treated unfairly, it in no way guarantees a safe shopping experience.
• TRUSTe—This nonprofit organization helps consumers and businesses identify trustworthy online organizations through its Web Privacy Seal, Email Privacy Seal, and Trusted Download Programs. Companies that display these seals adhere to TRUSTe's strict privacy principles and comply with the TRUSTe dispute resolution process. The basic requirements include creating a privacy policy that is reviewed by TRUSTe, posting notice and disclosure of collection and use practices with respect to personally identifiable information, and giving users choice and consent over how their information is used and shared.
• McAfee Secure—McAfee Secure for Web Sites service provides daily network perimeter and web application scanning and ensures that web sites have the latest information on their vulnerability risk profile. It scans all Internet services, shopping carts, ports, operating systems, servers, key applications, firewalls, switches, load balancers, and routers for all known vulnerabilities—every single day, so that ecommerce businesses can gain insight into their security status. Ebusinesses that use this service can display the branded McAfee Secure certification trustmark, offering consumers a substantial measure of confidence about shopping with them.

The importance of network perimeter scanning
Network perimeter scanning is a critical piece of the security equation for ecommerce sites. Basically, it’s a small piece of vulnerability assessment. McAfee Secure involves identifying and testing all of the devices that have a public footprint on the network—the domain name server (DNS), web server, and the mail server. All of these services are at the edge of the network and are not internal.

Ideally, network perimeter scanning should follow a process similar to the McAfee Secure service: (1) it starts by determining whether the device offers public services and then interrogates relevant services about patch levels, (2) it detects known vulnerabilities (as reported by Microsoft and research groups like McAfee® Avert® Labs), and (3) it checks for weak spots in web applications that are running on the web server.

The last step—the web application crawl—which searches for holes in the actual web ecommerce applications, is probably the single most important aspect of the scan. Patches are available that can be applied to signature vulnerabilities, but ready-made patches for web applications don’t exist because they are generally built from the ground up by a team of programmers. Exploits that take advantage of weaknesses in the ecommerce application include SQL injection (the ability to hijack the web application query and access the database that may store confidential customer data, including credit card numbers), server-side includes (a form of code injection that is used to control the server), and cross-site scripting (another form of code injection, which enables attackers to appropriate confidential information, create requests that can be mistaken for requests made by a real user, or execute malicious code on end-user systems).

A network perimeter scanning software-as-a-service, like McAfee Secure for Web Sites, brings a level of expertise to ebusinesses that they don’t have, and they don’t have to pay and hire a security expert. The fact this service offers fully automated network perimeter scanning means that someone is always keeping vigil over the website 365 days per year. And a key advantage is that the cost of this ongoing security can be relatively low. The average small online retailer pays between $1,400 USD to $2,400 USD per year.

McAfee pioneered dynamic real-time security certification, which means we’re scanning every single day, and we have the ability to remove the McAfee certification if there is a vulnerability on the network or a hole in the web application. When a consumer sees the McAfee Secure certification, they can be assured the site was tested and passed the assessment the very day they decide to make their purchases.

Conclusion
Ultimately, the only way to ensure the security of an ecommerce web site is to scan the network perimeter and web applications using the same technologies a hacker would. While manual scans can certainly be done and may have a higher degree of accuracy, the costs of doing this can be considerable if you bring in outside consultants—and most businesses certainly can’t afford to do this. Small and medium ecommerce businesses, which generally don’t have a dedicated security team, can reach a happy compromise with an automated scanning service like McAfee Secure. McAfee Secure is an affordable option that provides daily coverage, minimizes risk, and boosts consumer confidence. We’re able to leverage our security expertise because we have so many customers. Everyone benefits from the knowledge we gain helping to protect more than 80,000 web sites. And, most important of all, customers will feel comfortable about shopping at a McAfee Secure certified site—again and again.