This site has limited support for your browser. We recommend switching to Edge, Chrome, Safari, or Firefox.

We have introduced a simple estimate simulator. After using the simulator, we also distribute "free materials."

Certified by Shopify Partner Directory

Popular searches

Home
About
Shopify
Wine related
column
inquiry
[Shopify] E-commerce site security: What you need to protect の アイキャッチ

タグ: 全一覧 セキュリティ 新規制作 運営 

[Shopify] E-commerce site security: What you need to protect

Recently, there has been a lot of talk about personal information leaks from e-commerce sites, and I think this is an area of ​​great interest to not only those who are currently running e-commerce sites, but also those who are thinking of running one in the future.

The issue of "personal information protection" is always present when creating an e-commerce site, not just Shopify.

In this article, we will focus on where the "places that need to be protected" are and give you a rough idea of ​​the places that need to be protected!

This is a series, so if you read it together with the other books you will get a full understanding of the topic of "security"!

table of contents

What do we need to protect?

Before we figure out where to protect, let's first briefly touch on what to protect as a prerequisite!

Customer information

The information that is overwhelmingly most problematic to leak from an e-commerce site is "customer information."

This is the customer's personal information, and includes basic information such as "name," "address," and "contact details," but in some cases may also include "gender," "birthday," and "hobbies."

This is the most private information, and there is a Personal Information Protection Act to protect it.

Payment Information

Payment information can mainly be thought of as "credit card" information.

In addition, ApplePay, Paypay, and deferred payment services may also be misused, so you need to be careful.

Product data

Although it is not personal information, there is of course information that you do not want your "rivals" to know, such as inventory information and price information. This is also something that you should protect.

After all, they use inventory levels to lower prices and promote sales.

Site Data and Content

For example, the "blog" you are reading right now cannot be protected from the outside (because we want others to read it), but this is also information. Also, the code of an original and creative feature may be one of the things you want to protect! There may even be a feature that is like a trade secret "secret sauce".


Although I have written four points, the two most important pieces of information that must be protected are "customer information" and "payment information," so when talking about security, please think of these two points as the main focus!

Where is the place that needs to be protected?

So where is the information that needs to be protected?

This is completely divided into two parts.

  • Online Data
  • Local Data

These are the two points that you need to protect.

Online Data

If you operate an EC site, your store will naturally be online and various information will be collected there. In most cases, the management of that information is also done online, right?

This means that there will be a lot of "information that needs to be protected" online.


A successful store will have a lot of personal information, such as lists of customer information, which could easily exceed 10,000 people, and this information must be protected!

The security of your online data depends a lot on how you store it!

That is because EC sites are created using some kind of platform or program, but the underlying program is

・Where is it?

・How do I access it?

The situation varies depending on the store.

It is necessary to implement the most appropriate security measures for the stores that we operate!

You can find more details in two other articles, but for now let's briefly cover two key points.


Three types of consoles and third parties

First of all, an EC site has a program that can be called the "main body" of the EC site itself. The other common structure is that it involves third-party apps.

First, let’s focus on the main body.

There are three main types of main body.

  • In-house server type
  • ASP type
  • Molding type

The in-house server type is where you rent a server and install the program yourself. The ASP type is a system that uses the online systems of e-commerce sites such as Shopify, BASE, STORES, and Makeshop, and does not require you to prepare your own server.

Then there are the mall-type sites (Rakuten, Amazon, etc.).

Of these , the most troublesome in terms of security is the "in-house server type."

This is a method that is extremely likely to leave protection weak, so if you want to protect it, you need to take strong security measures.

In recent years, it seems that most of the leaks of personal information have occurred from this "in-house server" type.

On the other hand, with the "ASP type" and "mall type" models, you can generally assume that information is unlikely to leak from the parent company.

More details in another article


Then there are third-party apps, the most common of which are CRM tools .

In short, it is a customer management tool. A typical example would be an email newsletter stand, right?


For example, an email newsletter stand may be part of the core functions of an e-commerce site, but this usually results in a lack of functionality, so in many cases external tools are used.

In that case, you will have to upload customer information to the email newsletter stand as well, so you might be wondering about the security of that side, but this depends a lot on the trustworthiness of the company you use!


We will explain the detailed mechanisms of this in a separate article, but you will need to use third-party apps in almost all cases!

Some people (especially large companies) sometimes question the reliability of third-party apps, but if we worry about that, the discussion will never progress.

Of course, it is important to take proper measures for security, but don't forget to always weigh this against the question, "So, should I build that CRM tool from scratch? At a huge cost?" This is a very difficult question to answer when it comes to third-party apps.

Local Data

When we say local data, we mean that if you download and use data that is available online, it would be stored on an in-house server or on your personal computer.

Now that we can carry data around using things like USB memory sticks, which were popular a while back, local storage is surprisingly something that requires careful thought.


Especially in small companies, it may be easier in terms of IT literacy to communicate via USB memory stick or an in-house LAN rather than online, but I think it is necessary to take measures such as at least limiting the number of people who can view the information with administrator privileges.


Even if it's a small e-commerce site, you should be aware that the information it handles is still quite significant !

In addition to the personal information you download, your "ID" and "password" to access online data are also very important information!

If this existed, your online data could be stolen.

The "ASP type" and "mall type" have a low possibility of information leakage, but they become meaningless if the "ID" and "password" are leaked.

Password management is difficult, and anyone can access it using Excel within the company. It is true that there are companies like this, and you may also entrust your password to a web development company. I think it is advisable to change your password, especially after a company that has provided you with a one-off response has finished.

Local information is something that needs to be looked after by humans , so keep that in mind too!


Also, hackers may attack your company's internal servers.

So, don't be stingy when installing virus and security software, and make sure to do it properly!

And above all, employee education is extremely important! Local data is often something that cannot be dealt with properly unless each employee is aware of the issue.

summary

In this article, we will broadly divide security measures into two areas:

Online

・Local data

I have explained that this is the case.


When you are online, your data will mainly be held in two places: the main device and third parties, so make sure to check the security of each!

There are many situations where the only way to ensure security is to use a third-party service that is relatively trustworthy.


And local data is something we have to protect ourselves.

Are there issues with managing IDs and passwords and attacks from outside the company?
Don't use USB memory!

Let's make sure to thoroughly implement these measures, including employee training!

I think that sums it up like this.

First, read this article for a quick overview, and then take a look at the individual articles!


Please contact us if you have any problems with Shopify.

Cave de Script Inc.

Cart

No more products available for purchase

Your Cart is Empty