E-commerce controls are relevant to an overwhelming number of organizations—even smaller ones— perhaps especially smaller ones, without a brick-and-mortar presence.

E-commerce, or electronic commerce, is the buying and selling of goods and services over the Internet. Transactions take many forms, from ubiquitous online shopping (where customers buy goods and services on a website), electronic payments (PayPal and Apple Pay, for example), mobile commerce or m-commerce (using mobile devices, including shopping apps and location-based services), business-to-business (for example, Amazon Business), consumer-to-consumer (for example, eBay and Facebook Marketplace—although businesses use them too), to electronic data interchanges (where businesses, for example, retailers and their vendors, exchange documents in a standard electronic format.

Omnichannel solutions are virtually a necessity; to remain competitive, customers prefer access to goods and services and other interactions through multiple channels, including physical locations, social media, and other Internet media. A point-of-sale system is no longer merely a cash register; through solutions like Square, Shopify, and Lightspeed, it can include omnichannel capabilities as well as analytics, inventory and customer loyalty management and other operational functionalities.

The advantages to consumers and businesses are obvious. The risks, including cybersecurity, must be managed. Consider the following measures to manage cybersecurity, payment processing, data privacy, and operational risks:

1. Implement general security measures, including up-to-date antivirus, firewalls, intrusion detection systems, multi-factor authentication, and strong passwords.
2. Ensure robust backup procedures, which could include cloud hosting to improve reliability and scalability.
3. Leverage technologies to avoid payment gateway vulnerabilities, including PCI Data Security Standards (PCI DSS)-compliant gateways and tokenization. Use or enable 3D Secure authentication where available.
4. Enforce access controls to restrict physical and logical access to payment systems and networks.
5. Use encryption to protect payment data in transit and at rest.
6. Observe robust privacy policies in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), General Data Protection Regulation (GDPR), and other legislation. For example, do not retain authorization and other payment data any longer than necessary.
7. Train employees on cybersecurity and payment systems risks and best practices.
8. Monitor and audit systems to identify threats and update systems and processes accordingly.
9. Solidify disaster recovery and security breach plans and procedures before you need them.
10. Retain experts if necessary to ensure effective systems.

Meeting your duty of care

Perform a risk assessment of existing e-commerce systems. Implement robust controls and leverage technology to manage risks. Continually monitor and update systems because technology and threats are constantly evolving. Review recent and upcoming updates to the Information and Technology database in PolicyPro, including SPP IT 10.09 – Electronic Commerce, which addresses relevant controls.

Policies and procedures are essential, but the work required to create and maintain them can seem daunting. The Finance and Accounting, Operations and Marketing, Not-for-Profit, and Information Technology databases in PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30-day trials of Finance and Accounting, Not-for-Profit, Operations and Marketing, and Information Technology databases in PolicyPro here.