Security should always be top of mind, especially if you are processing payments and storing your customer's personal identifiable information.
This guide will walk you through several security principals that should be followed if you are implementing Ecommerce.
Platform Security Principals
Out-of-the-box, Agility Ecommerce follows several core principals that help reduce risk and liability.
- Collecting/storing credit card information either through the website or Agility Ecommerce is forbidden.
Agility Ecommerce uses third-party payment providers such as Stripe, Moneris, and PayPal to collect and process payments. All credit card entry inputs are served in iFrame or a separate window/page of the payment provider. This means neither your website or Agility Ecommerce will ever see a credit card number.
- All references to credit cards must be a tokenized value provided by the third-party payment provider.
When you enter your credit card details in the iFrame/window/page of the payment provider, a secure token representing the card is passed to the website as well as Agility Ecommerce. This token can be used process payments, and stored for future reference to saved cards on a customers profile. There are varying rules as to how long these tokens are valid for and are dictated by the payment provider. At any time, if the token is compromised the payment provider (or you) can invalidated ALL tokens, keeping your customer's credit cards safe.
- Protect Personal Identifiable Information
Agility Ecommerce stores information about a customer such as Name, Email, Address, and past orders. Only a logged-in customer, or an Ecommerce user in Agility (special role) can see their personal details. Customer information is always encrypted in transport over HTTPs as well as encrypted at rest in the database.
Website Security Principals
Your website should have the following security in place.
- Force secure HTTP transport (HTTPs) for ALL traffic
- Up-to-date SSL certificates that protect against obsolete ciphers
- Conduct regular manual penetration tests - preferably using a third-party
Custom Integration Security Principals
In most cases, an Agility Ecommerce solution will integrate with other third-party systems such as warehouses, shipping providers, or used to generate custom reports. Agility Ecommerce provides webhooks and a REST based server to server API to allow authorized applications to access information such as Orders and Customers. When designing these integrations, its important to follow these guidelines.
- If transporting information from Agility Ecommerce to another service, it must be encrypted during transport (HTTPs)
- If storing/copying information from Agility Ecommerce, it must be encrypted at rest
- Do not allow unauthenticated or anonymous access to customer personal identifiable information in any third-party application, custom report, or admin portal
- Do not publicly expose calls to the server to sever Ecommerce REST API
- Only use the Ecommerce client JS sdk to interact with Ecommerce on the website
- Developers should not have access to deploy to production without going through an approval process
Administrative Security Principals
Administering access to your Agility Ecommerce instance is also critical in ensuring a secure environment.
- Do not share logins
- Using Ecommerce Roles, only grant the minimum access level required by the user
- If a user has left the company (i.e. change management) revoke a user's access immediately by going to Settings > User Management in Agility
- Review agility users on a regular basis and audit their access level
PCI Compliance is a shared responsibility between the payment provider, Agility Ecommerce (platform) and your website.
As long as the security principals outlined in this document are followed, your website will have the required level of PCI compliance. Agility Ecommerce validates its PCI compliancy with its payment providers on an annual basis. We also recommend that you do an annual Self-Assement Questionnaire (SAQ) on your website and any custom integrations.