Shopping cart security: How small online businesses can build customer confidence

data security Large scale data security breaches are becoming increasingly common. No matter how technically sophisticated we become it seems hackers are always hot on our tails.

Indeed just recently eBay suffered a massive cyber attack on its 145 million users. And of course it is only natural that as data breaches grow so to will consumer concerns over how their personal and payment information is stored and managed online.

It’s not just large corporations like eBay that experience security breaches, an increasing number of SME’s are also vulnerable.

“The total number of data breaches increased 62 percent during the last 12 months, amounting to more than 627 million sensitive records exposed…We all know that large corporations continue to be the targets of these attacks, but what we have seen in the last 12 months is that small and medium-sized businesses are experiencing the largest number of breaches.” Internet Security Threat Snapshot Summary — 2014: Data Breaches Grow Significantly

So in addition to implementing adequate security measures, what can you as  a small online business owner do to build consumer confidence and reassure customers about the  security of your online store?

30% of consumers are increasingly concerned about the loss of personal data

New research by Software Advice* into the impact data breaches have on consumer confidence found that nearly one-third of consumers are increasing concerned about their personal information being stolen. The study found that:

  • 30% of consumers are increasingly concerned about data loss
  • 35% of consumers would stop shopping at a company where their personal data had been stolen
  • 53% of consumers would be somewhat more or much more likely to shop at a store where they were confident their personal data was secure.

In summary, the Software Advice research highlights that consumers are increasingly concerned about data security, would avoid shopping in stores from which their personal data was stolen and would look to shop somewhere where they felt confident their personal data was secure.

How to build customer confidence online

In all likelihood the majority of us are probably unfamiliar and uninterested in the highly technical aspects of data security.  Although implementing solid security measures is an absolute essential, in isolation it is not enough. You also need to work on building brand trust so that your customers feel secure and confident imparting personal and payment information when they shop at your store. We look at some best practice tips for a safe and secure online presence that will help foster trust amongst your customers.

1. Secure, PCI compliant e-commerce

The first thing is to make sure is that the e-commerce software solution that you choose offers secure data storage and is PCI / DSS compliant ( this is the payment card industry’s security standard).  Your shopping cart solution should be protected by  a PCI approved scanning vendor such as McAfee , VeriSign or PayPal and it should protect you against credit and debit card fraud and other threats such as identity theft and spyware.  So it is really important you spend time doing your research to make sure the e-commerce software you choose helps protects you and your customers against data security breaches.

2. Implement appropriate data-protection legislation

When you are storing and managing a customer’s database make sure you are familiar with and keep to relevant data-protection legislation. In the UK this would be the Data Protection Act 1998 and the Privacy and Electronic Communications Regulation Act. Following best practice and appropriate  legislation will ensure  less risks to the data you are managing and build customer confidence.

3. Build trust signposts

There are other ways to help build trust amongst your customers. Research indicates that simply announcing all your great security credentials is not enough. You also need to implement  ‘trust signposts’ to help build customers confidence in the safety of your online store. Large and established brands like John Lewis have ingrained such a sense of brand trust over the years that customers are rarely concerned about parting with their money or personal information. However, small businesses and start-ups don’t have this luxury so you have to work harder to build trust.

Website. Ensure your website is professional looking, up-to-date and easy to navigate. Customers won’t feel comfortable parting with payment or personal details on a site that is confusing to navigate around, has errors or is full of out of date content.

Customer service. Good customer service can only reflect positively on your brand image. Customers will be reassured with helpful, flexible and polite customer service. Make sure that all your contact and company details are clearly visible and easy for a customer to find.

Trustmarks.  Trustmark security logos can help reassure customers that the website they are on has the appropriate security protection. So whoever your security vendor is make sure you display their trustmark somewhere visible.

Customer testimonials. Client and customer testimonials, independent reviews, membership to industry organisations and links to relevant associations can all add kudos and  help reassure customers that your site is trustworthy.

4. Communicate to your customers

It won’t do any harm to remind your customers about how they can protect themselves against online fraud, such as by regularly checking their credit and bank account statements and properly managing their passwords. It can help show that you take the security of their personal information seriously. For example remind them that good password practice includes:

  • Not using the same email password for every site they register on.
  • Mix up letters, cases, numbers and special characters when creating a password.

So in an era of increased data breaches and sophisticated cyber-attacks, don’t assume that as a small online business or start-up you won’t be effected. Don’t underestimate the importance of secure e-commerce and follow good practice to ensure you are keeping you and your customers’ personal and payment information as safe as possible.


*New research on how data breaches can hurt retailers courtesy of Software Advice:

Software Advice helps buyers choose the right software. As a trusted resource, our website offers detailed reviews, comparisons and research to assist organizations in finding products that best fit their current and future needs. We have a team of software experts who conduct free telephone consultations with each buyer to shortlist systems best suited to their company’s specific requirements. Having a real conversation with our buyers allows us to fully understand their needs so we can match them with the right software vendors—eliminating weeks from the research process. Our software experts have advised more than 160,000 software buyers to date across various and niche software markets. Headquartered in Austin, Texas, Software Advice employs a team of 100, as well as an engineering team in Cordoba, Argentina.

Image courtesy of Stuart Miles /

We’d love to hear you thoughts and experiences on this topic, so please do leave a comment


Data Protection: a guide for small businesses and start-ups

data protection, data privacy laws

For small online businesses and start-ups collecting data for marketing and sales communications is essential and therefore good quality data is highly valuable. However, there are specific rules and regulations in place that govern how you collect, keep and use data. It is important you familiarise yourself with these since, the last thing you want is to upset customers or face any hefty fines.

This is post provides a basic overview, but I have added in a list of  useful links at the bottom that will enable you to examine the regulations on more depth and look up specifics relevant to your business.

In the UK there are two key acts you should be aware of  concerning data collection, processing and dissemination.

1. Data Protection Act 1998

2. Privacy and Electronic Communications Regulation Act

These basically concern how you:

Obtain ‘personal data’

from your data subject (eg. customer, visitor to your website, prospect). Your data subject should be understand why they are handing over their data and how it will be used.

Process and store personal data 

(modify, keep secure and delete data)

Use personal data


1. Data Protection Act 1998

“Data Protection Legislation is enacted to protect the individual, to protect their privacy and prevent the misuse of their personal data” (Chaffey et al, 2009 p.141).

The Data Protection Act 1998 (DPA) effects how you can collect and use data. In the UK, any company that holds personal data on file needs to register with the data protection registrar.  Some small businesses are exempt from registering – you can find out whether you are exempt by taking the ICO’s (Information Commissionaire’s Office) online self assessment questionnaire .

The Information Commissioner has an excellent overview and checklist specifically for small businesses Data Protection Checklists for Small Businesses and SME’s.

There are 8 key principles of the 1998 Data Protection Act which can be summarised as follows.

  1. Personal data shall be processed fairly and lawfully. Essentially this is a code of practice  that the Information Commissioner suggests to ensure fair and legal data processing. A quick summary of the code includes the following: companies should have a person ‘data controller’ who has overall responsibility for data protection. If you are a small business or sole trader this is likely to be you. Any communications should clearly detail how a ‘data subject’ (e.g a customer) can get in contact with the data controller or their representative. The ‘data subject’ must have given consent prior to any data processing.  Sensitive personal data should be treated with particular care (eg. ethnic origin, religious or political beliefs)
  2. Personal data shall be obtained for only one or more specified and lawful purposes.  You must make it clear at the point of collection how you intend process and use the information. For example whether you are using it for further communications and whether the data will be passed on to any third parties.
  3. Personal data shall be adequate, relevant and not excessive. This is really a balance between what information you need as a company to better understand your customers and not taking advantage of your data subjects rights.
  4. Personal data shall be accurate and where necessary, kept up-to-date.  It is essential that you keep your data accurate (think about how the data is inputted – many mistakes can come from inaccurate keying in) and up-to-date. So if a data subject contacts you with any changes to their personal details, those changes should be implemented quickly.
  5. Personal data shall not be  kept longer than necessary. If your relationship with the data subject ends then you must delete their data. This is a slightly woolly area so I would suggest you use your common sense – for example if you have held the data for years but feel there is a possibility that the data subject will buy from you then the information is still useful. However if the data subject has had no contact for 10 years then perhaps you need to think about deleting it – don’t forget a clean, up-to-date database is likely to be better performing anyway.
  6. Personal data shall be processed in accordance with the data subject’s rights. This concerns the protecting the rights of the data subject with regard to how their data is processed. Examples include,  an individual can request to view personal data held by an organisation (which must be supplied within a 40 day period), data processing should not cause distress ( for example sending out mailshots to someone who has passed away) and unsolicited phone calls or email.
  7. Appropriate technical  and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage. This is about ensuring that the data you hold is protected by the necessary security measures that will prevent any unauthorised access to the data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic area unless that country ensures an adequate level of protection. Essentially this means that you cannot transfer data to countries outside Europe if they do not have appropriate data processing laws in place – such as anti-spam legislation and regulations surrounding privacy and electronic communications.


data protection, marketing consent2. Privacy and Electronic Communications Regulations Act

In 2002, to further support 1998’s Data Protection Act, specific regulations were introduced to protect consumers with regard to controlling the distribution of electronic communications (eg email and SMS).  There are regulations specific to the type communications you are looking at so it is important to take a look at the Act in full. However some key points of importance here include:



  • Having an Opt out / unsubscribe  option in all communications. Customers should be able to unsubscribe from future communications quickly and easily. For example, you should always include a clear unsubscribe option on all your communications and ensure this is followed up by suppressing any such opt-outs on your database.
  • Contact details must be provided. You must by law, have a contact details by way a recipient can get in contact – such as a valid address or phone number.
  • The sender must be clearly identifiable. Essentially you should in no way attempt to conceal or disguise your identity.
  • For unsolicited electronic communications the recipient must have given prior consent.  Often you see this implemented at the at the sign up stage with a simple tick box where the recipient can choose to Opt-in (he/she proactively consents to receive further information) or Opt-Out ( he/she refuses the offer to receive further information). For example:

Would you like to receive further communications by email Yes 〈  〉  No 〈  〉

As we mentioned earlier it is worth reading the regulations as there are slightly different rules for individual subscribers, company subscribers and existing customers, so check what is applicable to your business. For example existing customers you can use what is known as a ‘soft opt-in’ which differs from the formal ‘opt-in’. This is where you can send emails or SMS messages if you have:

  1.  obtained their contact details from a sale (or sales negotiation) of a product or service
  2. you are only marketing to them about similar products or services
  3. you gave them the option to opt-out of the marketing when you first collected their details and give them the opportunity to opt-out (unsubscribe) in subsequent communications.   

Also, this guide focuses on regulations within the UK, so if you are outside the UK then you need to look at the  regulations for your own country for example in the US there is the CAN-SMAM Act 2003. A useful summary of spam and privacy regulations for individual countries can be found at .

Finally it is also quickly worth mentioning the CAP UK Advertising codes. This code stipulates a number of rules of best practice concerning advertising, sales promotion and direct marketing.  Such as being responsible, non-offensive and not misleading. It also has more specific rules pertaining to specific industries and advertising to children. Again, it is something worth taking a look at.

Hopefully this should give you a brief overview of  key data-protection and privacy regulations in the UK. Outlined below are some useful links that will provide you with further, more-in depth reading.

Useful references Getting it right. A brief guide to data protection for small businesses

Information Commissioner – Data Protection Principles :

ICO Marketing Guidance for Privacy and Electronic Communications

Direct marketing, Data Protection Act and Privacy and Electronic Communications Regulations

Guide to Privacy and Electronic Communications

The Data Protection Act 

Committees of Advertising Practice (CAP),  UK Advertising Codes

Email Marketing – When to use opt-in and when to use opt-out

Spam Laws Guide to different countries regulations


We’d love to hear your thoughts and experiences on this post, so please do leave a comment