NIST Privacy Framework : Our Essential Data Protection Guide


9 data security best practices for online retailers

You put valuable time, energy, and resources into making your eCommerce business a success. Don’t let a data security violation jeopardize that; use these best practices to protect your company’s sensitive data and preserve your reputation.

The importance of eCommerce data security

The highly valuable personal and financial information collected by eCommerce websites makes them prime targets for cyberattacks. Unfortunately, these cyberattacks often come with a hefty price tag.

In the event of a data breach, online retailers face losing vital customer data and potentially, the customers themselves. People tend to lose trust in businesses when their highly sensitive information falls into the wrong party’s hands. Breaches also mean violating a data protection regulation or a few (think: CCPA, GDPR, and PCI-DSS), resulting in steep fines. IT teams and their companies don’t want to deal with a data breach.

So how, with cyberattackers constantly upping their game to bypass protection measures, can online retailers prevent a data breach? It’s important to understand the types of potential data security threats that exist and then implement measures that will safeguard your website from those threats.

Types of data security threats for online retailers

There is a long list of data security precautions for online retailers. You may think, “Do I really need this? Why?” The answer is almost always yes, but as for why, understanding the ways hackers can jeopardize an eCommerce site’s data security can convincingly answer that.

DDoS attack

A distributed denial of service attack occurs when a hacker disrupts a server’s function by inundating a specific website with fake traffic, usually bots. The server malfunctions and renders the targeted website unavailable to actual customers. While this type of cyberattack doesn’t necessarily compromise data, it can significantly impact an online retailer’s business. A DDoS attack can be prevented with the proper security measures.


A phishing attack occurs when a fraudulent communication is sent to recipients under the guise of a trusted source, such as an online retailer. The message, often an email or text, mimics those from the legitimate source to lure recipients into giving away sensitive data, usually by clicking a link or downloading an attachment. While a phishing scam can be executed as a standalone attack, it can also be part of a larger data breach strategy, such as e-skimming or installing malware.


E-skimming occurs when a skimmer code gets added to an eCommerce site’s payment page and steals credit card and other personal information in real-time as it’s entered by customers. That data is then sent to the hacker’s domain to be used for fraudulent activity. The skimmer code can be added to a website in a number of ways, including phishing attacks and cross-site scripting.

Cross-site scripting (XSS)

In a cross-site scripting (XSS) attack, malicious JavaScript code is added to an online retailer’s webpage with the goal of infiltrating the browsers of that webpage’s visitors. So, the webpage is simply a vessel for the malicious code to get to unsuspecting end users. Once it reaches its intended destination, the code has access to all sorts of sensitive personal data stored by the browser and used by the eCommerce site, putting visitors at risk of phishing scams and malware.

While the eCommerce site itself isn’t directly impacted by this kind of cyberattack, the fact that a malicious script could be added to a webpage in the first place suggests a security vulnerability that could lead to worse attacks if not addressed.


A cyberattack involving malware—a portmanteau of malicious software—is just as bad as it sounds. This tactic comes in several varieties, but the objectives are usually the same: infect a target (i.e., a device, system, or eCommerce website), steal all the sensitive data from that target, and cause a disruption by rendering the target unusable for a period of time. Malware can be delivered in numerous ways, including through phishing scams or Trojan horse-style via a seemingly harmless game or application download.

SQL injection

SQL injections impact eCommerce sites using SQL databases to store information collected through submission forms. Hackers will inject SQL codes for requests and queries into the form fields to ultimately gain access to a site’s backend where they can steal or manipulate sensitive data.

Best practices for eCommerce data security

Many eCommerce platforms already come with certain data security measures, but it’s important to keep up with the latest data breach trends and tools to ensure your site and your customers’ data is protected.

Consider data security software

One of the most impactful precautions you can take to protect your customer and business data is implementing data security software for your eCommerce site. The right platform will have indispensable features like data discovery, classification, and monitoring, as well as integration capabilities with other premier security tools. Ultimately, data security software helps you comply with data protection regulations and handles the more difficult parts of data security upkeep, making it a worthwhile investment.

Obtain a TLS certificate

Hypertext Transfer Protocol (HTTP) is the practice used to send data between web browsers and websites. When you see an “S” following the “HTTP” in a URL, it means data is being sent securely, thanks to Transport Layer Security (TLS)—formerly Secure Sockets Layer (SSL)—encryption.

Install anti-malware software

An anti-malware software will regularly check your eCommerce site’s code for abnormalities and notify you if it detects any. In the case of an infection detection, anti-malware software can help remove it and prevent it from doing any serious damage to your data.

Comply with regulations

Complying with federal regulations is a proactive way to ensure your eCommerce site is keeping data secure. Here are the regulations online retailers must comply with.


The PCI-DSS is a data security standard mandated by payment card brands for use by any entity that processes payment cards. Failure to protect payment card data can result in fines as high as $500,000 per incident in addition to losing the ability to continue processing payments.

To comply with the PCI-DSS, online retailers must implement and maintain these 12 requirements.


Online retailers selling products internationally must comply with the GDPR, which regulates the collection and processing of personal data in the European Union, or face steep fines. The GDPR requires eCommerce sites to accurately identify all personal data under their control, give individuals access to their personal data, maintain data security, notify authorities of data breaches, police third-party processing of personal information, and keep timely and accurate records of data protection activities.


CCPA compliance is mandatory for online retailers meeting specific criteria that engage in business with California residents. For those not meeting the criteria, CCPA compliance is still recommended. The first of its kind, this law allows all California consumers to request full visibility on how their personal data is used and shared. Other states are already following suit. Compliance violations are punishable by fines of up to $7,500 per record plus the potential for class-action litigation.

Install firewalls

Firewalls monitor a network’s incoming and outgoing traffic to ensure only trusted traffic visits your online store. They also effectively prevent cyberattacks, blocking bad actors from infiltrating devices and putting sensitive data at risk. In addition, firewalls are required for PCI compliance. By installing one (or a few), you’re killing two birds with one traffic-monitoring, network-protecting stone.

Conduct regular backups
Regularly backing up your website means you’ll always have the most recent version of your data on hand in the event of a breach. Whether the attack alters or completely deletes your data, a backup allows you to pick up where you were, rather than having to rebuild from scratch.

Use strong passwords

A strong password is one of the simplest protective measures you can implement to keep data safe. It must contain eight or more characters (12 or more is recommended) consisting of upper- and lower-case letters, numbers, and symbols. While convenient for memorization purposes, avoid incorporating obvious names, like a family members or pets, and number sequences, like a birthday. Hackers have stepped up their password-guessing game, so you need to up the ante too.

If your eCommerce site allows customers to create accounts, require them to have strong passwords as well. Nowadays, a password won’t be accepted if it doesn’t meet the minimum criteria to be considered strong.

Set up two-factor authentication

In the case that your strong password is correctly guessed by a hacker (known as a brute force attack), having two-factor authentication set up for your account can stop the hacker from going any further.

With two-factor authentication in place, the hacker would be prompted to enter a one-time password—often a PIN or unique alpha-numeric code—sent to the account owner’s phone or email. As the hacker wouldn’t have access to your phone or email, the attack would be successfully prevented.


CAPTCHAs can help quash any cyberattacks with bots involved. CAPTCHAs are specifically made to tell computers and humans apart by providing a challenge only humans can solve. Your website’s account sign-up and log-in pages, as well as any others where sensitive data can be submitted, should feature CAPTCHAs.

Secure your data with Spirion

Your company’s reputation is highly dependent on how well you’re able to protect your customers’ data from cyberattacks. A single data security infraction can result in legal fines and loss of customers, ultimately putting a huge financial burden on your business.

Spirion’s comprehensive data security software alleviates concerns about ever-changing data privacy regulations, costly fees, and data breaches while preserving your eCommerce company’s reputation by automatically discovering sensitive data, classifying it based on its sensitivity level, and remediating it to best serve its intended purpose.