In our previous blog post on Keeping Your Ecommerce Store Secure, we looked at a number of things you should do with any online store to minimize the chances of the store being compromised by hackers. In this post, we’ll look at some specific actions you can take if you are running a ShopSite ecommerce store…

Use the “new” login system in ShopSite

The old legacy login method in ShopSite, the one where everyone uses the same login (pop-up basic authentication login), is not the most secure method for logging into ShopSite. The newer method that is built into the software is an improved login method, and offers a number of advantages.

*** NOTE: Do NOT enable this new login system if you are using a third party program that downloads order data or page/product data directly from ShopSite unless that system is compatible with ShopSite’s new login system (called Oauth authentication). If you’re not sure, drop us a note, and we’ll double check.

The new login system has advantages such as:

• Tracking per user of their major actions in the backoffice
• Control over when passwords expire, enforcing more complex passwords
• Uses encrypted database to manage passwords, making it harder to directly compromise

If you are using the old login method, it is still a secure way to log into ShopSite. But we do recommend the new system if you do not have any requirements that tie you to the old login method.

Create Separate login for each employee

If you are using the new login system in ShopSite, make sure you create a login for each employee, developer, etc… You do not want them sharing logins. If a user is no longer supposed to have access, make sure you remove the user in ShopSite.

With each person having a separate login, it is easier to track down major issues and isolate it to one login.

You should regularly review the list of users to make sure it is up to date, and/or a user was not created that you would not expect.

Do not store credit cards in ShopSite

If you are using a payment gateway, and you do not allow customers who register to store card info, then you should disable the ability for ShopSite to store credit cards. This is done under:

Orders -> Security -> Credit Card Storage -> “Do not store Credit Cards”

This will ensure that ShopSite does not have any card data stored in the database, such that if a hacker were to gain access, they could not download any credit card data.

If you do allow customers to store card info, and/or you need access to the card data in ShopSite by downloading it, then we *highly recommend* enabling the Merchant Key feature (known as Asymmetric encryption / Two factor authentication). This is enabled under:

Orders -> Security -> Credit Card Storage -> “Asymmetric encryption (Merchant Key)”

Once enabled, you must upload your merchant key to ShopSite in order for card data to be available via download. The key is stored securely on your computer, and if lost, you cannot decrypt card data for any past orders.

Having Asymmetric protection means that if a hacker were to get your login info to ShopSite, they would not be able to download any card data without your merchant key as well.

Use a different password for ShopSite

Make sure that your password for accessing ShopSite is *NOT* the same as any other password you use on other websites / services. This is very important because:

If another website gets compromised, and hackers get the password used on that other site, and it matches your ShopSite password, they now have a direct login to your store.

This is a common way hackers gain entry to other logins, as many people use the same password on multiple websites. One website gets hacked, and now the hackers can login to everything you have where the password matches.

…

If you take to heart the above tips in conjunction with our previous blog post, you will be taking all the precautions you can in order to keep your ShopSite ecommerce store safe and sound.