E-commerce controls should be on your radar

E-commerce controls should be on your radar

E-commerce controls are relevant to an overwhelming number of organizations—even smaller ones— perhaps especially smaller ones, without a brick-and-mortar presence.

E-commerce, or electronic commerce, is the buying and selling of goods and services over the Internet. Transactions take many forms, from ubiquitous online shopping (where customers buy goods and services on a website), electronic payments (PayPal and Apple Pay, for example), mobile commerce or m-commerce (using mobile devices, including shopping apps and location-based services), business-to-business (for example, Amazon Business), consumer-to-consumer (for example, eBay and Facebook Marketplace—although businesses use them too), to electronic data interchanges (where businesses, for example, retailers and their vendors, exchange documents in a standard electronic format.

Omnichannel solutions are virtually a necessity; to remain competitive, customers prefer access to goods and services and other interactions through multiple channels, including physical locations, social media, and other Internet media. A point-of-sale system is no longer merely a cash register; through solutions like Square, Shopify, and Lightspeed, it can include omnichannel capabilities as well as analytics, inventory and customer loyalty management and other operational functionalities.

The advantages to consumers and businesses are obvious. The risks, including cybersecurity, must be managed. Consider the following measures to manage cybersecurity, payment processing, data privacy, and operational risks:

  1. Implement general security measures, including up-to-date antivirus, firewalls, intrusion detection systems, multi-factor authentication, and strong passwords.
  2. Ensure robust backup procedures, which could include cloud hosting to improve reliability and scalability.
  3. Leverage technologies to avoid payment gateway vulnerabilities, including PCI Data Security Standards (PCI DSS)-compliant gateways and tokenization. Use or enable 3D Secure authentication where available.
  4. Enforce access controls to restrict physical and logical access to payment systems and networks.
  5. Use encryption to protect payment data in transit and at rest.
  6. Observe robust privacy policies in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), General Data Protection Regulation (GDPR), and other legislation. For example, do not retain authorization and other payment data any longer than necessary.
  7. Train employees on cybersecurity and payment systems risks and best practices.
  8. Monitor and audit systems to identify threats and update systems and processes accordingly.
  9. Solidify disaster recovery and security breach plans and procedures before you need them.
  10. Retain experts if necessary to ensure effective systems.

Meeting your duty of care

Perform a risk assessment of existing e-commerce systems. Implement robust controls and leverage technology to manage risks. Continually monitor and update systems because technology and threats are constantly evolving. Review recent and upcoming updates to the Information and Technology database in PolicyPro, including SPP IT 10.09 – Electronic Commerce, which addresses relevant controls.

Policies and procedures are essential, but the work required to create and maintain them can seem daunting. The Finance and AccountingOperations and MarketingNot-for-Profit, and Information Technology databases in PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30-day trials of Finance and AccountingNot-for-ProfitOperations and Marketing, and Information Technology databases in PolicyPro here.

Share

Related Posts

Imagen 1

Privacy risk management – by design

I’ve discussed the Privacy by Design principle before, in the Inside Internal Control newsletter. In case you don’t know, PbD is an approach developed by Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, which proactively embeds privacy protection by default in the design of an organization’s practices and products.

Colin Braithwaite

Read more
Imagen 1

Hiring controls: a close look at managing the risks of hiring

Human capital is a firm’s most important and profitable asset. Recall Swiss banking giant UBS’ rogue trading disaster in 2011, during which the bank reported a $2.3-billion loss as a result of one man’s unauthorized trading. UBS’ chief executive officer resigned as a result, and the bank also lost two high-ranking executives who took indirect responsibility for the incident…

Occasional Contributors

Read more
Imagen 1

Understanding enterprise architecture and related risks

Enterprise architecture is an important topic to organizations from executives, to IT/business resources, to customers, at all levels and around the globe. This blog post features input from three EA experts, from Canada, the United States and the United Kingdom.

Ron Richard

Read more