Security Enhancements for Website Checkout

Learn how to deter fraud on your e-commerce website and improve peace of mind for site owner and customer.

Let’s start by acknowledging that this topic is relevant to every website. No matter the platform or the size of the business, online fraud and e-commerce abuse can target anyone. While technology advances are a wonderful thing, malicious behavior does not disappear and is constantly evolving.

But rather than just be fearful, you can take proactive steps to secure your website properties. You can also tackle fraud activities when they happen.

Why do fraudsters target e-commerce sites with bad orders?

There are different motivations for fraudulent orders on e-commerce sites. In the end, it’s about money, of course.

Many bad actors are identity thieves using various sites to test credit cards they have stolen to validate which ones they can abuse. When small business sites see thousands of small dollar amount transactions flooding in, this is probably a symptom of card testing.

Other abusive individuals use stolen financials and gift cards to actually purchase goods from sites. In that case they are placing orders in hopes of receiving a free product. In fact, the recipient might even be reselling those items through their own illegal business channel. The real card holder suffers from fraud transactions, and the merchant suffers when those charges are disputed and the goods are already out the door.

Using secure shopping carts and official payment integrations is a good foundation.

There are probably hundreds of shopping cart software options to choose from. Some of the options may be poorly written or outdated technology. Others have modern technology, good reputation, and continual support. If you are installing a ready-made shopping cart platform to run your e-commerce tools, it’s important to look at proven vendors with quality technical support and features.

The shopping cart is just the beginning. The actual transactions require a payment processing platform. This is where the banking and gateway vendors come in. Usually, you will need a reliable and compatible payment gateway with a middleware to connect with your merchant bank. Sometimes the financial provider will have a preferred solution they either sell themselves or partner with. And it is also common to use well-known providers like Stripe or Authorize.net.

If you are exploring these options for your e-commerce experience, it’s important to be sure the brand is reputable and in compliance with today’s standards. Become familiar with the fraud-prevention features they offer in your portal.

Another possibility is developing a custom e-commerce site and integrating it with a payment system. The merchant should make the web developer aware of their financial vendors and help connect them to web developer documentation instructions for those platforms.

Enhance the E-commerce Site with Security Features

There are a few simple things you can tune in some online shopping carts to improve their security and prevent fraudster activity.

Adding captcha to the checkout form

 The reCAPTCHA feature you typically see at the end of a form helps to prevent excessive submissions by bots and scripts. Depending on the platform, you can integrate this with a plugin, with some settings in your e-commerce administration, or with some custom code.

Multi-step checkout forms

Some websites have only one single page with a single form to fil out all contact information and payment for the order. While this is a nice and easy customer experience, it also makes the job of a fraudster a bit easier.

The checkout experience can be split into multiple screens with “steps” like first entering all of the contact details to save and submit before proceeding to the payment page to complete the final order. In some of our custom web development work, we have also kept the experience on a single page visually, while still keeping each required section collapsed in a step-by-step workflow: The user submits the top section with their contact and item details first, then fills out a shipping destination and clicks a next button, and finally confirms payment information before submitting the entire transaction. While this might feel a tad slower to some users, it can be very effective to ensure loyal customers are entering valid information carefully and that they are more likely real customers. It slows the abusive visitors down which discourages them to continue.

Hardening e-commerce sites with add-on features

 Examples of add-on security features could be plugins or a third-party firewall service. For example, there is a Woo plugin called Anti-Fraud which helps detect and block suspicious order activity. There are also firewall and intrusion prevention subscription services. Examples are Sucuri and Wordfence. These types of services add a layer around the main website to detect and block suspicious IP addresses, excessive traffic, geographic locations, and other activity according to your preferences.

Using a hosted payment form maintained by the payment processor

 Some of the leading payment gateway providers offer a “hosted form” option. This means that the actual payment information is not being entered directly on your own website. Instead, the shopper is directed to the payment platform to type in their payment details and submit the transaction. After it is successful, they may be redirected to your confirmation web page again. The reason for considering this option is because the liability of moving and housing sensitive information is the responsibility of the payment provider. Since the customer is being directed away from your web page, they are not entering or storing any sensitive payment info in your form or database. Since each vendor is different, ask for details about any hosted models they offer and the full instructions on how to implement them.

Enabling fraud prevention features in the gateway

Outside of your website, the payment platform typically offers an administrative portal and settings. Look for options that enhance the security requirements for payment validation, such as requiring the billing address and zip code to match the card holder information and requiring the CVV code for the credit card. There may be other settings such as a minimum order amount, which would prevent those card-testers from submitting $1.00 test orders. Ask the payment gateway’s customer support for advice on their best pro-active anti-fraud settings.

Requiring customer registration with email verification

Another option in some shopping carts requires that each customer register for an account in the website before they can place a full order, and sends an email confirmation to activate the account. This is not full proof, since a scammer human can still impersonate a real customer and follow through. But it will filter activities from abusers using fake email addresses and who are not willing to complete a customer account.

Never save passwords insecurely in files

Many payment service integrations require passwords and security keys to validate the website’s link to the payment system during transactions. It’s important to follow the instructions from the provider on proper secure integration and avoid saving that sensitive information in an open file that anyone could access insecurely.

Keep software patched and upgraded

Remember that all websites need regular maintenance. Keep your plugins and platform software up to date. Apply available upgrades on a regular schedule. If you are notified about a critical security patch, get it taken care of as soon as possible. Many software vendors, including authors of common WordPress plugins, are constantly looking out for vulnerabilities and offering upgrades to prevent issues. If you ignore website maintenance for too long, it could result in allowing bad actors to gain access to parts of your website or even to hack the website to misdirect payments elsewhere.

If you are looking for a reliable partner for website maintenance, WEBii offers several options, including maintenance plans for WordPress. Contact us to learn more about this.

Do not accept payments via an insecure form

Websites often have contact forms that are built with a simple form plugin or as an embedded form from a marketing platform. These are intended to be used as lead generation or communication tools, and not for sensitive data.

A basic form without properly integrated payment gateway services and security validation should not be used to collect payment information with standard text fields. Even if the website has SSL installed (which is standard for all websites today), that does not protect the card holder or the merchant.

Some form tools offer add-on services to properly integrate secure payment capabilities. Communicate this need with the web developer to ensure the right procedure.

By putting these security measures in place, you’re not just protecting your business—you’re also building trust with your customers. In the end, a secure checkout experience means peace of mind for everyone involved—and if you need help along the way, we are here to support you.

Jacqueline Sinex

Managing Director