WIXLIB

SheLeadsTechDigital Resilience Workshop- E-commerce Security ConsiderationsPresenter: Adeline Chan27 June 2022Disclaimer: The views and opinions expressed in this presentation are those of the author and do not necessarily reflect the official policy or position of any organization.

Agenda1.What Is E-commerce Security and Why Is It Important?2.Common E-commerce Security Issues3.Best Practices for E-commerce Security

What Is E-commerce Security andWhy Is It Important?Confidential. For internal use only.

What Is E-Commerce Security and Why Is It Important?Ecommerce security is the set of guidelines that are designed to allow safe transactions on theweb. Ecommerce security refers to the steps and protocols in place to protect the sale andpurchase of goods and services online. Appropriate ecommerce security measures boostconsumer confidence.According to a new study from Juniper Research, merchant losses to online payment frauds willamount to 206 billion between the years 2021 to 2025.The new research observed that as well as implementing further payment security measures,eCommerce merchants must take on a more educational role for their users. This role willprimarily be education about cybersecurity practices, common fraud methods and changesto the checkout process to improve fraud mitigation. This will be essential in China, which willaccount for 42% of all eCommerce payment fraud in 2024.

Webscale - Global Ecommerce Security Report 2022Key insights:Cyberattacks continued to rise in 2021 despite a minor dip in sales compared to 2020. 82.5% of merchantssurveyed experienced security-related incidents on Black Friday/Cyber Monday, compared to 78% in 2020.Most attack types saw notable increases over the year: Phishing (71%) Credit card fraud (68%) Carding attack (63%) Card scraping (54%) Account takeover (45%) Malicious bots urity-report-2022/

Webscale - Global Ecommerce Security Report 2022Ecommerce businesses continue to show growing interest in investing in security technologies. Some of thekey areas of investments are: Real user monitoring (RUM): 78% of merchants surveyed intend to invest in a solution that enables RUM MFA (multi-factor authentication): 75% of ecommerce businesses plan to invest in fraud preventiontechnologies CSP (content security policy) protection: 71% want to prevent cross-site scripting (XSS) and data injectionattacks by deploying real-time CSP protection“The pace of investment by ecommerce businesses into critical security solutions continues to be slow,especially when compared to the rapid increase in both the number and complexity of cyber threats,” saidSonal Puri, CEO, Webscale. “Yet with many merchants reporting an intent to invest in important technologiessuch as MFA and CSP in the coming year, we expect to see this gap narrow, and to see threats such ascarding attacks and malicious bots, of which Webscale alone blocked 76M over the 2021 Cyber Week, haveless of an e-security-report-2022/

Common E-commerce Security IssuesConfidential. For internal use only.

Common Ecommerce Security Issues1.2.4.Information Leakage Counterfeit sites – fake versions of the legitimate business website are created to lurecustomers to these sites and their credentials (login details / passwords) are captured. Theft of clients data – scammers have stolen information such credit card details usingSMS or calls to make them reveal personal information (social engineering) or e-skimmingi.e. stealing information from payment card processing pages on e-commerce sites.Malware / Virus Attacks Damage to online store using worm or virus attacks Denial of service – prevent users from accessing the online store Malicious links are sent to clients through phishing emailsFraudulent Transactions Stolen pins and passwords can be used to facilitate fraudulent transactions

Best Practices For E-commerce SecurityConfidential. For internal use only.

Best Practices For E-commerce Security1.2.3.Implement strong and unique passwords and ensure that your customers do too Strong passwords are at least 8 characters and contain upper and lowercase letters,numbers and symbols Passwords should never be shared Customers - never use the same password for other login credentials as you use for youre-commerce siteImplement additional authentication factors Using 2 factor or multi-factor authentication gives you assurance that you and yourcustomers are the only people logging into your store.Only store customer data that you need Bottom line – never hold on to more data that you need to conduct your business Always keep your customers’ critical data separate from other information by segmentingyour network. Deploy firewall and conduct audits to ensure that only authorised people are accessingclient data

Best Practices For E-commerce Security4.5.7.Secure with HTTPs hosting HTTPS sends a positive trust signal to your shoppersRegularly review all third-party solutions Keep an inventory of all third-party solutions you are running within your store Assess your continued level of trust in the third party and remove that integration from yourstore if you are no longer using themMake sure your e-commerce site is always up to date If you are using a SaaS ecommerce platform, updates to your software are taken care of bythe vendor For on-prem ecommerce solutions, you are responsible for updating, bug fixes and anyvulnerability patches to the software

Best Practices For E-commerce Security7. Prepare your customer service team Develop processes to deal with common threats Build awareness on cyber risks and attack methods8. Comply with Payment Card Industry Data Security Standard (PCI-DSS) requirements to protectall credit card data. Maintain a routine on complying with PCI DSS

Massive Breach Hits 500 E-Commerce SitesHackers Targeted E-Commerce Sites Running on Magento 1In May 2021, researchers at Malwarebytes Labs' Threat Intelligence Team found thatMagecart Group 12, which is known for skimming payment cards from e-commercewebsites using JavaScript skimmers, is using an updated attack technique to gain remoteadministrative access to sites that run an older version of Adobe's Magento softwareAll of the targeted sites were still using the 12-year-old Magento 1 e-commerce platform,which Adobe stopped supporting on June 30, 2020. Adobe has urged customers to upgradeto the newer platform but according to previous research by Sansec, about 95,000e-commerce sites still rely on the older reach-hits-500-e-commerce-sites-a-18492

AppendixConfidential. For internal use only.

Useful ReferencesIntroduction of E-Commerce Marketplace Transaction Safety Ratings and Revised Technical Reference76 on E-Commerce Transactions (14 May 2022)To secure e-commerce marketplaces from scams, the Inter-Ministry Committee on Scams (IMCS) will launchthe following two initiatives today:(a) E-commerce Marketplace Transaction Safety Ratings (“TSR”) to provide consumers with informationon anti-scam measures that major e-commerce marketplaces have in place; and(b) Revised Technical Reference 76 on Guidelines for Electronic Commerce Transactions (“TR 76”) toprovide e-retailers and online intermediaries such as e-commerce marketplaces, with additional guidelines tobetter secure e-commerce transactions from e-76-on-e-commerce-transactions/

Useful ReferencesSecurity in Milliseconds: Visa Invests in Payment Security as E-Commerce Surges (May 17, 2022) Dustin White (Visa Chief Risk Data Officer) said Visa has invested 9 billion over the past five years onfraud prevention, with half a billion of that focused on AI and data infrastructure to secure the petabytes ofdata Visa handles, an investment that turned out to be well timed. One of those services, Visa Advanced Authorization, helped prevent approximately 26 billion in fraud lastyear alone by evaluating over 500 unique attributes per transaction – including previous spending patterns,location, merchant, purchase amount – and generating a risk score in about a ance/visa-ecommerce-payment-security/2022 SecurityMetrics Guide to PCI DSS Compliance Key Information on PCI DSS 4.0 RequirementsUpdates and Ecommerce Security Trends To help companies better understand their options for protection, SecurityMetrics released their 7th edition ofthe PCI DSS Compliance ecommerce-security-trends-301539053.html

SheLeadsTechDigital Resilience Workshop- Customer Data Protection27 June 2022Cheryl LamDisclaimer: The views and opinions expressed in this presentation are those of the author and do not necessarily reflect the official policy or position of any organization.

Outline19 Introduction Principles of Data Protection Data breaches Personal Data and PDPA Backup Ransomware Common mistakes to avoid Final thoughts Appendix: Resources

IntroductionIn this day where ransomwareand cyberattacks are notuncommon, it is important toprotect your valuable assets –your data, especially customerdata.We will walk through theessential steps you need to taketo safeguard your data, andcommon mistakes to avoid.20

Principles of Data Protection1. It is necessary to be fair and lawful.2. Using information only for predefinedpurposes.3. Information received from users should beminimized.4. Updating users' information and verifyingtheir accuracy.5. Information should be kept only until aspecified time.6. The customer is always right.7. Increase Security.8. Obey international privacy laws - GDPR,PDPA, HIPAA, PCI-DSS.Reference link: Tek Blog21

Data breaches Cyber breaches resulting in the loss of personal data has been increasing inscale and frequency. With more businesses moving towards digitalisation,corporate and personal data may be exposed to such cyber threats. Being able to detect, contain, and remedy breaches more quickly will help toreduce the scope, impact, and associated costs. Social network sites, and lifestyle/ entertainment companies were just someentities that suffered such data breaches.For informational reading: 64 biggest data breaches22

Personal Data and PDPAWhat is Personal Data? Data about an individual who can be identified from that data, or from that data andother information to which the organisation has or is likely to have access.What is the PDPA? The Personal Data Protection Act (PDPA) provides a baseline standard of protection forpersonal data in Singapore. It complements sector-specific legislative and regulatoryframeworks such as the Banking Act and Insurance Act. It comprises various requirements governing the collection, use, disclosure and care ofpersonal data in Singapore. It also provides for the establishment of a national Do Not Call (DNC) Registry. Individualsmay register their Singapore telephone numbers with the DNC Registry to opt out ofreceiving unwanted telemarketing messages from organisations.23

Backup – Why is it important If you think business data loss can’t or won’t happen to you, or if you’re juststarting a business and think you can’t afford to have a backup andrecovery plan, think again. You need to ensure essential data is safe and secure. In the case of theloss of critical data you need to be able to run your business smoothly on adaily basis.24

Why Backup and What to BackupData loss scenarios Data or file corruption Fire Flood Theft Hardware failure Simple human error Malicious attackInformation to backup 25Customer recordsFinancial recordsTax recordsSales information, etc.

Backup StrategyIn order to safeguard your data, ensure you have a sound backup strategy. The most prevalent strategy is the 3-2-1 backup rule. It dictates that youshould always have at least three (3) copies of your data, stored in two(2) different storage media, with one (1) copy kept offsite. The point of this approach is to eliminate a single point of failure. In otherwords, if a disaster impacts your office, the backup copies stored offsiteremain intact. Additionally, backups kept offline cannot be targeted by aransomware attack.26