Legally protecting all parties

Legally protecting yourself as an "ecommerce developer."

Monday, August 27, 2007 12:00:00 AM

The web, like any big “community” has more than its fair share of unscrupulous characters and legal pitfalls. Any good developer will do everything in their power to protect their client… But, in the process, don’t forget to protect yourself! A term to keep in mind from a legal stand point is "due diligence". You have to do as much as you possibly can, within reason; to be sure your client's data is safe. Here are a few things to consider, for security and to protect yourself.

1. Secure your database.
If you are using MS Access, be sure the database file is located above the web root or in a folder that has web access restricted. If the file is not stored above the root, double-check that the database is in a non-browse-able directory by entering the address of your Access file in a browser. If the browser begins to download the file, you are in big trouble; contact your host immediately to get the permissions properly configured.

If you are using MS SQL server or MySQL, be sure all the proper security protocols are followed and in place. If you are not 100% confident that you know how to secure a SQL database, hire someone to help lock it down for you. It is money well spent.

2. Secure the site with a reputable, well-known SSL provider.
Fortunately there are some recognizable names out there that are still pretty inexpensive, such as RapidSSL or Network Solutions, and others. Do a Google search for “SSL Certificates” and you’ll find plenty of options.

3. Use custom error pages.
Some error pages generated by the server, may display your data source name, database tables and field names, and other sensitive information right there for the world to see. This is NOT what you want to have happen on a live ecommerce site, that's for sure! Use custom error pages to display a user friendly message that doesn't give away private application information.

4. Don't store credit card data in your database!
This is a big one; pass this data off to your Payment processor and let them deal with it. They have the money to develop the security systems necessary to protect this data and teams of lawyers on retainer to defend them if they get sued. Let them take the risk. Credit card data in your database is a ticking time bomb. Even if you aren't hacked, an unscrupulous employee could still steal this data and get you in a real bind.

5. Do not underestimate the importance of number 4!
Some clients may try to persuade you to go ahead and store credit card data, giving you all sorts of reasons why it will be so much better for them and that everything will be “just fine.” It’s up to you of course, but for me this is a deal breaker. I’ll walk away from a project before giving in on this one.

6. Implement a "Hold Harmless" agreement.
A Hold Harmless agreement is very important, especially if the client insists on storing Credit Card data, and you for whatever inconceivable reason agree to set this up. Go over verbally and provide in writing, all the security precautions that you have put in place to protect your customers' data, and then get them to sign an agreement accepting your work and releasing you from any and all responsibility and liability from that point on. If your client has you do additional work on the site at a later date, when the work is finished have them sign a new updated agreement. This may seem like a real pain, but consider the cost of the consequences if you don't take this measure.

Following the steps above will help you sleep better at night and makes you look more professional to your clients, which is definitely worth the effort! We’ll discuss some of these topic in more depth in future articles.