Excerpt from a recent answer to a Quora question about cybersecurity. Useful starting checklist. I would love to hear your comments!
- Your internal security controls. Do you force admin users to use secure passwords and change them often? Do you run background checks and monitor usage of your employees or ANYONE that you give access to your admin panel or server? Do you check for intrusions? Does your customer service have ENFORCED policies against writing down credit card numbers or other sensitive information?
- Have you locked down potential entry vectors? Do all of your forms protect against SQL or other code injections? Have you shut FTP and other insecure or unused ports that are often open by default?
- Are you using security audit tools? If you use Magento, Cadence Labs has a good security audit, Razoyo offers it as part of a technical site audit, MageReports has an automated tool. There are similar scans and tools available for WordPress.
- Do you use a reputable integration for your payment gateway? Magento has a core implementation for PayPal, Braintree, Authorize dot net and so forth. Unless you have an expert security developer on staff, you should avoid homegrown payment gateway implementations.