Why Online Merchants Should Make Security A Year-Round Priority

0aaBrian Dhatt BigCommerce

If I could encourage all e-Commerce merchants to take one piece of advice to heart, it would be: Shore up your security.

That advice may sound too general to be practical, but my recommendation to retailers is to break it down into digestible steps and considerations. Why make security a point of emphasis? Well, consider that in 2016 online fraud rose 40%, and I have little doubt the 2017 numbers will be even more harrowing when they’re released. If you’re willing to heed my advice and resolve to commit resources to improving security, here’s where to start:

Survey Your Situation

The foundation for any successful resolution is genuine self-reflection, self-awareness and self-evaluation. As retailers scramble to keep pace in the competitive marketplace and provide their goods on every platform possible, security has to be a differentiated factor in business strategy and tech purchase decision-making processes. Map out all the channels you’re selling through: Online, mobile, social media platforms, in-store brick-and-mortar, pop-up shops, etc. Make sure you know how security is (or isn’t) being addressed for each, the risks you’ll encounter and how you’ll manage them.


In a similar way, map out your human capacity. Be realistic in evaluating whether you have the employee time and resources to manage payment approvals, fraud claims and security flags. What’s the tradeoff you would make to handle those priorities in-house? Product development? Fulfillment? Marketing? If you’re not willing to make those sacrifices at a business level, it might be time to look for payments and fraud prevention partners. More on that in a bit.

Know Your Core Technology

Diving beneath business strategy, there are technological considerations that shape your approach to security. Is your e-Commerce presence built on installed or self-hosted software, or a Software-as-a-Service (SaaS) platform? If it’s the former, you’re constantly going to need to look at every security patch and update to be sure you’re current. Customer data is your most valuable asset, so it’s also important to be intimately familiar with how that data is being stored, shared and used both inside and outside the confines of that e-Commerce platform. Generally speaking, the fewer points of exposure, the better.

For each of the multiple sales channels identified earlier, add a layer of technological insight. How are you accepting payments on each channel? How are you (or your payment providers) promoting shopper authentication? Who’s monitoring and mitigating fraud?

Pick Your Partners

Here’s where we get to taking substantive action. If the answer to any of the questions in the preceding section is “I don’t know,” that’s a tell-tale sign you should investigate your options for payments and fraud prevention partners.

On the fraud prevention front, there are a couple routes you can go down, depending on the maturity and complexity of your company. First, you can look into strong standalone products like Signifyd, which watches the transaction and the shopper to flag fraud by pulling in data around browser fingerprinting, the number of high-value items in an order, frequency of shopping, types of products in a cart and more. These solutions tend to have universally helpful features right out of the box, but are also relatively customizable to fit your business rules.

The other option is more complex systems coupled with payments from the likes of CyberSource or Vantiv, which offer bespoke tuning of fraud engines to completely tailor them to your business. (Granted, this model tends to be more expensive, as it typically comes with a dedicated account team.)

Speaking of payments, some partners in that arena guarantee that if they greenlight an order, they’ll take responsibility for any fraud from that point forward. Klarna and PayPal are standout examples of payment providers that are leading the charge in authenticating shoppers on their devices and supporting merchants with an added layer of security built into the payments gateway. They make authenticated payments as easy as one-click purchases on Amazon and are working toward ways to take their online payments security prowess to the brick-and-mortar omnichannel world.

As part of the selection process for any fraud detection or payment partner, it’s important to have a crystal-clear understanding and assurance of who’s standing behind the transactions and what the rules of engagement are. What are your levels of exposure and risk? Who bears the liability for fraud, should an occurrence sneak through? How much time will you spend manually validating purchases, as opposed to the payment or anti-fraud provider automating that process?

Fall Back On The Standards

Even if you can’t afford some of the flashier tools, there are some baseline steps you can take to implement best practices for security. At the very least, implement site-wide HTTPS, on every page of the browser experience for your online store, all the way through the transaction.

Transition from vulnerable Adobe Flash to HTML5. As added incentive, if you haven’t already made that switch, chances are your marketing, content and search engine traffic are already suffering. And yes, these measures around HTTPS and HTML5 should apply to hosted blogs and other associated systems, not just the store itself.

Finally, be PCI compliant through and through. Make sure your vendors are keeping up their annual PCI compliance checks and stay abreast of what standards bodies are recommending for merchants. Additional global ecommerce security mechanisms like 3D Secure 2.0 will be rolled out soon, so do your research on it in advance and proactively ask about how your technology providers plan to incorporate it.

Understand What’s At Stake

As with any set of consequences that a resolution looks to avoid, there are some that are obvious and some that are more obfuscated. The financial implications in e-Commerce security are obvious, even if the degree to which they can impact a business might be underestimated. Nearly 50% of small businesses fall victim to fraud at some point in their lifecycle, and those incidents cost an average of $114,000 per occurrence, according to The Association of Certified Fraud Examiners. But that doesn’t even take the intangibles into account.

For most companies, a site hack or payment data breach can cause lasting damage that extends far beyond store downtime and immediate financial losses incurred. More and more often, security is intertwined with brand reputation. Lapse on security once and you may lose a customer (or an entire segment of customers) for life. In fact, KPMG found that a security breach would discourage 58% of consumers from doing business with a particular brand in the future.

Now more than ever, customers and merchants alike assign the utmost import to security, but it can often be easier to talk the talk than walk the walk. Hopefully, by keeping this guidance and realistic view of what’s at stake in mind, online retailers will be able to not only resolve but follow through on shoring up security.


Brian Dhatt is the chief technology officer at BigCommerce, where he leads a global engineering team of more than 100 across offices in Austin, San Francisco and Sydney. Prior to BigCommerce, Dhatt was the CTO at Borderfree, an e-Commerce SaaS company acquired by Pitney Bowes, where he led the company through a successful IPO in 2014 and acquisition in 2015. He also served as VP of engineering and product at Jetsetter and Gilt City under the Gilt Groupe umbrella, co-founded the global media and technology company POPSUGAR and previously led technology efforts for leading companies such as, Restoration Hardware and Estée Lauder.

Feature Your Byline

Submit an Executive ViewPoints.

Featured Event

Join the retail community as we come together for three days of strategic sessions, meaningful off-site networking events and interactive learning experiences.


Access The Media Kit


Access Our Editorial Calendar

If you are downloading this on behalf of a client, please provide the company name and website information below: