Blog

30 Days of E-Commerce Testing - Day Twenty-Two!

Day 22:
What are methods of securing ecommerce data? Discuss and share!

PayLater.jpg

The number one security challenge I can think of with E-Commerce is credit card numbers.

Here’s some things.
Never, not ever, not ever ever, store credit card numbers.
Bad things will happen.

If your site takes credit card payments (they probably do), there’s a couple things you could do.
Use a third party payment processor, like Stripe or DPS. That way they take care of all the hard stuff about securing credit cards for you.

If you must process the payment yourselves, then it pays to use a payment gateway like Spreedly.
This way you don’t have to store credit card details, you simply store a token that is then passed on to Spreedly, or whatever gateway service you’re using.

One important thing to think about though, is how might you inadvertently store a credit card number.
For example, you might have credit card input fields that store a token in a really safe manner. Cool!
But, what about a potential situation where a user enters an invalid credit card number, and we log an error - containing all the invalid field entries - including the credit card number!
This is one gotcha to be aware of. Make sure credit card details don't even end up in your log files, or anywhere else.

To accept credit card payments, your site needs to be PCI compliant. Which is a whole ‘nother thing. You can read all about it at your leisure! :)

- JE