Click with Confidence: Cybersecurity Tips for Secure Online Shopping

Do you prefer to do your shopping online? I definitely prefer to do my holiday season shopping without having to go into a shop. It’s convenient, quick, and doesn’t involve standing in line. But this option also poses a security risk: fraud. It’s important for me to know that my personal and payment info is secure. With Black Friday and Cyber Monday coming up, I chatted about cybersecurity for the holiday season (and always!) with some of the very smart co-workers.

(November 2020 update: COVID-19 has us shopping and transacting online more than ever. Increased traffic means more opportunities for fraudsters, but awareness and some online housekeeping can keep your personal and financial info safe. This post is applicable year-round, but especially as we do our festive season shopping!)

In my day job, I support a CIO and one of her and many of her staff’s focuses and passions is cybersecurity for our client base. With all the hacking, phishing and information breach scandals popping up almost daily in the news the past couple of years, it’s become more important than ever to keep our personal information secure. 

Companies want to keep your trust, so they are constantly amping up cybersecurity measures so you feel safe using their card, site, service or shop.

[perfectpullquote align=”full” bordertop=”false” cite=”” link=”” color=”” class=”” size=””]Did You Know? Since launching in 2013, over 5 trillion online accounts have been compromised in 325 data breaches.¹[/perfectpullquote]

But it’s also up to you to keep your information secure. So when you’re doing your best #GetThrifty clicking and crossing  off the items on your holiday shopping list, here are the key things to remember for some cybersecurity peace of mind:

1. Use a device you trust

This seems like an obvious one, but only use a computer, tablet, or smartphone that you trust. A very important part of this is using that trusted device on a Wi-Fi network you trust. If any of the devices you use are your personal property, make sure only you have the login for your device or user profile on a shared device.

2. Keep your browser up to date

This is important because the newest version of your browser will have the most up to date security features for your internet browsing and online shopping experience. To check that your browser is up to date, you will need to visit your settings.

If you’re a Chrome user like me², the Settings button is in the upper right corner, usually as an ellipses (…), but it will be an arrow if the browser needs to be updated. Once the update is done, Chrome ask to relaunch and off you go.

If you’re using Safari or Chrome on your iPhone, you might have auto-updates happening in the background, or can select to update manually.

3. Know what you’re clicking*

You may have heard of something called phishing, which is a common online scam designed to trick you into revealing sensitive personal information (e.g. passwords, credit card numbers, your SIN) that is then used for fraud or identity theft. Phishing typically takes the form of an email message that appears to come from a trusted organization (e.g. your bank, your school, a shop you enjoy), but is actually from the identity thieves. It is intentionally difficult to tell the difference between a legitimate message and a phishing message.³

[perfectpullquote align=”full” bordertop=”false” cite=”” link=”” color=”” class=”” size=””]Cyber Tip:  Hover your mouse over the email address it was sent from, or over the linked text. If it looks phishy, don’t click it. You also shouldn’t have to click to use a promo code. Don’t be click bait![/perfectpullquote]

For some more tips on how to spot a phishing scam, check out these resources on the University of Victoria website.

*Any links that I post on West Coast City Girl are ones that I have personally checked. I am also a member of a few affiliate programs, so when you click (for example) a product link from my site, the URL might say ‘awin’ or something not ‘Etsy’ before it goes to the Etsy site I link you to. But this should not compromise your user experience or information in any way.⁴

4. Make sure sites are secure and encrypted

You might wonder what the little lock next to your URL bar means. In the case of Chrome, it means your connection is secure, the website is verified (certificate valid), and what you send and receive from the website is encrypted (which makes it very hard for anyone else to get to). If you click on the lock you will get more info on the site and can deep dive as much as you need/want to.

The symbols Chrome uses to show URL security are:

Secure sites will also start with ‘https://’, ‘not http://’. For more information on web security within Chrome, click here.

5. Be aware of where you enter your payment info

This is a long one. Stay with me. It’s important.

PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) was created and is enforced by the major credit card institutions to protect their customers’ information. The standard applies to companies of any size that accept credit card payments. If a company intends to accept card payment, and store, process and transmit cardholder data, they need to securely host customer data with a PCI compliant hosting provider.⁵

What this means to you as a customer:

In a physical shop or anywhere that accepts payment with a machine, that machine is the PCI compliance. Moneris or Ingenico are the most common brand names you will most likely see on those machines.

In terms of e-commerce, if a site is accepting your credit card info directly, they have likely jumped through all the PCI hoops in order to be able to do this and/or are powered by Moneris, Ingenico, or another approved third party payment provider. (You may also need to log in to Verified by Visa or Mastercard SecureCode. If a site gives you the option (or the only option is) to pay via an approved third party site like PayPal or GPay, they still need to be PCI compliant, but they are not accepting payment directly from you. They have a contract with the trusted third party.

[perfectpullquote align=”full” bordertop=”false” cite=”” link=”” color=”” class=”” size=””]Did You know? A company is NOT ALLOWED to directly store your payment info for recurring billing unless they have the appropriate level of  PCI certification.[/perfectpullquote]

Many sites use Shopify as their e-commerce platform, and I like this particular option because Shopify text you a code that you have to input before it will let you carry forward with your transaction. This is considered multi-factor authentication.

Some have them all, but regardless, you want to see any or all of the below on a site (usually at the bottom of the page). Some will also say “Powered by:” whoever their secure third party payment provider is as the bottom of the page.

In summary:

Sites must use an authorized third party payment provider. And while it’s a bit of a pain to do the extra steps, it’s worth it for the peace of mind of a secure transaction. Basically, if the site is secure and you had to take a bit longer than you would have liked for your transaction, you can feel good about the security of your information.

6. Don’t share your passwords

Another obvious one, but for real, don’t. It’s also not a great idea to be saving your passwords in a spreadsheet or on a browser. (I am guilty of the latter, but solely because I trust Chrome! But I really should be using Keepass. See #7.)

7. Log out and close your browser

Yes, this is annoying. But it’s worth the annoyance for keeping your information safe.

A good and secure way to store passwords is via a free password management program called Keepass; which OSI certified.⁶

Also important!

A good antivirus, network threat protection, firewall, and real-time threat protection software can help ensure that your trusted computer isn’t harbouring malicious software. Don’t let your payment information or account details get stolen from your own device!

Click with confidence and feel secure this holiday season!

“Technology trust is a good thing, but control is a better one.”

Stéphane Nappo

1. https://haveibeenpwned.com/
2. This is not a sponsored post. I just happen to use Chrome.
3. Info from UVic.ca
4. My disclosure and privacy policy can be viewed here.
5. For more info, visit https://www.pcisecuritystandards.org
6. More info on Open Source software certification can be found at https://opensource.org/.