ASOS is targeted by hackers every hour, which poses a “very real threat” to the site’s security, the company's security officer Michelle Tolbay said yesterday.

Although the probes are generally quite unsophisticated, Tolbay says this is still a "major concern" for the clothing e-tailer.

Speaking at a NetBenefit event on compliance with the Payment Card Industry code, she said that more serious attacks are made once a week on average by hackers trying to steal credit card information.

Our test sites are targeted constantly as they have lower levels of security. I think people make a basic attempt to hack the site, and if they happen to find any holes then they will push further.”

As of last March ASOS had 5.3m registered users and 3m active customers from 160 countries, so it is a prime target for hackers trying to steal credit card details.

The site also gets hit by denial of service attacks – Tolbay said they had identified groups of people who try to checkout baskets of up to 10,000 items 20-30 times within a 30 minute period to try and overwhelm the site.

One attempted hack was even traced back to a potential competitor in China.

To plug any potential holes ASOS runs frequent security assessments and organises ‘hackathons’ to test the site for weaknesses prior to any upgrades.

One of these sessions, performed on the mobile site prior to launch, uncovered 12 problems that needed to be fixed.

The main focus of Tolbay’s talk was PCI compliance and how e-tailers can make sure they are up to standard.

The PCI Data Security Standard is a set of industry regulations governing the protection of confidential data – the penalties for breaches can include a hefty fine or removal of payment services.

Tolbay said that as e-commerce is a fast paced industry, compliance needs to be looked at on an ongoing basis rather than in the few weeks before an audit.

Changes and updates have to be made continuously in the background. You can’t simply shut the site down for maintenance and do a whole load of changes - since you’ll lose all your customers.”

The key to making sure your business is PCI compliant is to find a good qualified security assessor (QSA) that has experience in your industry and can give advice on how to get up to standard, while also ensure that any third-party hosting companies are also compliant.

Another important element is to make sure that your company's staff training and processes are up to scratch, as no amount of technology can make up for the fact that your staff are poorly trained.

Tolbay said that as part of its commitment to security all notepads in the ASOS call centre had been removed and replaced with white boards so if anyone wrote any confidential customer details down there was no chance of it leaving the premises.

You can read more about PCi compliance and data protection in our Internationalisation of E-commerce Best Practice Guide.

David Moth

Published 1 March, 2012 by David Moth

David Moth is Editor and Head of Social at Econsultancy. You can follow him on Twitter or connect via LinkedIn

1719 more posts from this author

You might be interested in

Comments (0)

Save or Cancel

Enjoying this article?

Get more just like this, delivered to your inbox.

Keep up to date with the latest analysis, inspiration and learning from the Econsultancy blog with our free Digital Pulse newsletter. You will receive a hand-picked digest of the latest and greatest articles, as well as snippets of new market data, best practice guides and trends research.