How to protect bank cards in e-commerce apps
As e-commerce is gaining its popularity, natural concerns about security arise. The breach of payment details can lead to major losses for any service provider, irrespective of their reputation. To avoid this worst-case scenario, proper security mechanisms should be implemented by the application developers to protect users’ finances and confidential information from being stolen. Alexey Abramovich, security testing manager at a1qa, specifies the most important of them.
A strong and robust application storing users’ payment details is the responsibility of the whole team. Product owner, product manager, developers, testers and designers must be aware of the mechanisms and best practices aimed at making a more robust and safe e-commerce app and stipulate their incorporation.
Implementing e-commerce security mechanisms
First, to make any application storing users’ payment details safer, e-commerce being no exception, there should be proper mechanisms for authentication and authorization. They will make it possible to distinguish between the website visitors’ rights and personal data. The mechanisms are the main attacking vectors and should be as safe as possible because if breached, they will provide access to users’ sessions.
Development teams should apply proper security measures to build a secure e-commerce product that will employ customers’ debit/credit cards.
One measure is to validate all data input by users. This will help avoid all kinds of injections to the application code. It’s also important to implement control over the application and web server configuration to avoid frequent mistakes related to misuse of SSL/TLS protocols. Attackers may benefit from the protocol mistakes and pick up payment data the user inputs to the application.
The second largest vulnerabilities are located on different levels of system composition of the web applications, such as web server, third-party libraries and database servers.
The article was prepared for eSecurity Planet. Read the full version here.