How do you handle and protect your customers data in membership websites

15 replies
I was looking through a membership wordpress plugins and while I found a few good ones, one thing that concerns me is the customer's data. How do you ensure the customer's data is secure and safe?

While it's great to have a dashboard where you can access all the customer's information once you login to your membership website, I also find this feature concerning especially with more and more websites being hacked and subjected to data breaches.

Please share your thoughts.
#customers #data #handle #membership #protect #websites
  • Profile picture of the author Steve B
    The answer, IMO, is to choose a platform for your membership site that has very good security features built in. Depending upon what plug-in you choose for WordPress, you may or may not get adequate security. It is hit and miss depending upon the plug-in.

    When I was deciding about the membership platform I chose, I was careful to ask about and ensure that the security was "industrial strength" (for lack of a better description) for all aspects of the site.

    I chose Membergate.

    Steve
    Signature

    Steve Browne, online business strategies, tips, guidance, and resources
    SteveBrowneDirect

    {{ DiscussionBoard.errors[9550696].message }}
    • Profile picture of the author yourreviewer
      Originally Posted by Steve B View Post

      The answer, IMO, is to choose a platform for your membership site that has very good security features built in. Depending upon what plug-in you choose for WordPress, you may or may not get adequate security. It is hit and miss depending upon the plug-in.

      When I was deciding about the membership platform I chose, I was careful to ask about and ensure that the security was "industrial strength" (for lack of a better description) for all aspects of the site.

      I chose Membergate.

      Steve
      Thanks Steve. When I was doing my research, a number of plugins highlight the features and flexibility of the plugin which is well and good but there is very little information on security and this worries me.

      To have to explain a data breach to the customers, when it happens is a nightmare every business owner would like to avoid. While no business is safe from these attacks, I am trying to figure out the best way to overcome this problem.
      {{ DiscussionBoard.errors[9550732].message }}
      • Profile picture of the author Steve B
        I think you're doing the right thing.

        For us "lay" people that don't get involved in the actual workings of security software and codes, we can only do our homework and try to make an intelligent decision based on the data given to us in terms we understand.

        I wish I had the answers you're looking for. Maybe some Warrior who is also a web security expert can chime in and give his wisdom and experience on the matter.

        Good luck,

        Steve
        Signature

        Steve Browne, online business strategies, tips, guidance, and resources
        SteveBrowneDirect

        {{ DiscussionBoard.errors[9551407].message }}
        • Profile picture of the author DaveDunn
          As a provider of a WordPress membership platform here is how we approach it

          We do our best to make sure the code we put out is of the highest level and test it for security flaws.

          However WordPress is highly configurable and the security aspect should be separate from the plugin and is the responsibility of the site owner.

          There are a host of world class security plugins available for WordPress and any of these would secure your site enough to keep your members data safe, provided your server was correctly configured also.

          One thing you can do for an extra layer of protection is install an SSL certificate and use HTTPS for your members to access your site. This will go someway to make sure the connection is secure, but the backend of your site will still benefit from one of the security plugins such as WordFence or iThemes security.

          This is what we've done for our customers at FastMember and gives a bit more peace of mind.

          Hope this helps
          Dave @ FastMember.com
          {{ DiscussionBoard.errors[9552906].message }}
          • Profile picture of the author OnlineStoreHelp
            Data Breaches are becoming big deals and there are ways we handle protecting customer Personally Identifiable Information (PII). First off, you offload card handling to a third party. This is normally PayPal, Clickbank, Stripe, etc. That is normally the number one thing so card data is not breached. PayPal, Clickbank and Stripe are all PCI Level 1 compliant. While not perfect, it means they have gone through a rigorous compliance audit.

            Second. Keep your wordpress site up to date and don't go crazy on plugins, especially ones you know very little about. Consider an SSL certificate which will run you, with dedicated IP and SSL, about 6 - 12 bucks a month. This is why I don't use Wordpress for e-commerce sites. Just to much risk IMO.

            Membership portals - Part of the reason I chose Digital Access Pass, is it is actually an application that sits on your server, separate than wordpress, then has a plugin to allow it to interact with WP. It is why you can use DAP with non wordpress sites as well. I also like that it assigns a password (though not a strong one) so people aren't reusing passwords. And because you use one of the big three (PayPal, Stripe, Clickbank) worst case, you lose an email address and name.

            Consider not using Wordpress. I know we all love wordpress here, but consider Drupal as well. It is what large governments use, is highly scalable and can do what about any wordpress plugin will do with purely free modules such as Drupal Commerce.

            I can't speak as to the other membership plugins, but these were all my concerns as well and it is how I handle it.
            {{ DiscussionBoard.errors[9556115].message }}
  • Profile picture of the author JohnZ
    First of all, consider using a premium security plugin for WordPress. Secondly, register on a file storing site and create a document for customer data. There are many other ways to do this. WordPress features hundreds of plugins and third party apps that will keep your files safe.
    Signature
    {{ DiscussionBoard.errors[9560797].message }}
  • Profile picture of the author Johnny33
    Like others have mentioned, you should look into getting an SSL certificate. This provides security and will ensure that your visitors can trust the site. Check out someone who sells SSL certificates like ssl.com or namecheap to see what the best certificate option will be for you. Hope this helps.
    {{ DiscussionBoard.errors[9598026].message }}
  • Profile picture of the author roblawrence
    PCI compliance is a HUGE issue. That's why many membership site scripts now require you to use an "offsite" service such as Stripe, Paypal or Clickbank. I know other solutions like Membergate store the credit card information inside the software itself and it's encrypted (that's how it is able to do the rebills), but of course, there is more risk there on the part of the membership site owner. But, you also have more control and would be using your own merchant account rather than rely on someone else's (like paypal or clickbank). Also, consider what would happen if you SOLD your membership site, your users and payments would be locked into a third-party, which would make transferring your business extremely difficult over to someone else. That's one area where Membergate shines, but do understand you will need to be vigilant and get an SSL certificate and also restrict access to admin users only. Security precautions any business owner should do anyway. At the end of the day, it all comes down to handling PCI compliance in-house, or outsourcing it to a third-party vendor.
    {{ DiscussionBoard.errors[9707361].message }}
    • Profile picture of the author OnlineStoreHelp
      Originally Posted by roblawrence View Post

      PCI compliance is a HUGE issue. That's why many membership site scripts now require you to use an "offsite" service such as Stripe, Paypal or Clickbank. I know other solutions like Membergate store the credit card information inside the software itself and it's encrypted (that's how it is able to do the rebills), but of course, there is more risk there on the part of the membership site owner. But, you also have more control and would be using your own merchant account rather than rely on someone else's (like paypal or clickbank). Also, consider what would happen if you SOLD your membership site, your users and payments would be locked into a third-party, which would make transferring your business extremely difficult over to someone else. That's one area where Membergate shines, but do understand you will need to be vigilant and get an SSL certificate and also restrict access to admin users only. Security precautions any business owner should do anyway. At the end of the day, it all comes down to handling PCI compliance in-house, or outsourcing it to a third-party vendor.
      I find it interesting that a SAS that charges you $197 a month and stores credit card numbers in the system requires you to go for PCI compliance. Every Software as a Service cart I have ever worked with is PCI-DSS Level 1 compliant. That is the main advantage of using an SAS.
      {{ DiscussionBoard.errors[9708311].message }}
      • Profile picture of the author wslade
        I own a membership site and the prior posts have lots of great ideas.I spent some time trying to decide on the membership plugin to meet my needs. I chose S2Member Pro and use stripe for payments. There are many fine options out there.

        I agree with the importance of adding the best security plugin or plugins you can find, I use Wordfence. You will likely be surprised a the number of attacks your server and script receive every day. Most security plugins can notify you to attacks if you want.

        SSL certs are just too cheap to pass up. I see the whole net becoming fully HTTPS soon. Especially as more free or nearly free SSL/TLS options become available.

        I do not store credit card information, not even for an instant. My membership and payment integration does a nice job of keeping the appearance of the purchase occurring on my server. There are a number of payment vendors who can provide a similar experience using various technologies.

        This payment process is not only important to maintaining the trust of your purchaser, it will play a very large part in what will need to do to meet PCI compliance. Not storing financial information (credit card data) on your server will make your PCI compliance easier.

        Even though I don't have financial data, I do have other member information. My malware and vulnerability scan not only protects the site from malicious software, the scans protect my database from abuse. This is very helpful in protecting personal information. Also, I store personal member data off line. I will look for more automated answers to this area as the amount of data grows.

        Good luck with your new site.
        Signature
        AssuredSAFE Help for Busy eCommerce Sites
        {{ DiscussionBoard.errors[9725138].message }}
      • Profile picture of the author roblawrence
        Originally Posted by OnlineStoreHelp View Post


        I find it interesting that a SAS that charges you $197 a month and stores credit card numbers in the system requires you to go for PCI compliance. Every Software as a Service cart I have ever worked with is PCI-DSS Level 1 compliant. That is the main advantage of using an SAS.
        There are actually two versions of Membergate. A self-hosted version where you buy a software license, startiang at about $4,000 or they will host it for you for a $197 monthly fee. You bring up a good point on PCI compliance, which I haven't seen addressed.

        The software itself is very secure and I have not heard of any security breaches with it. For the SAAS version, pci-compliance would be a great feature to add. Perhaps they'll consider it.

        I know many Membergate owners who are very happy with the software. Maybe they handle that part themselves, I don't know. No one seems to want to talk about it and I respect that as a business decision.
        {{ DiscussionBoard.errors[9823244].message }}
  • Profile picture of the author Jack Gordon
    There are a lot of misconceptions flying around about what is, and is not, going to be "secure"

    First off, security is an illusion. If someone wants to hack you, and they have the skills and the time, you will get hacked.

    There are things you can do to mitigate the risk, and - bundled together - those are what we would call security.

    A few no-brainers would be things mentioned here, like using SSL, reputable software, not storing credit card information, etc. Add to that list extra encryption for any consumer data that could be considered sensitive. It might cost you extra to pay someone to build something like that in to your database, but when you do get hacked you'll be really glad you did it.

    People often talk about PCI compliance like it is a possession. It is not. It is a standard, toward which one must constantly be either striving or maintaining. And it is expensive and time consuming to do that.

    I do it for my main business because I have to, and I speak from experience. The upside is that having that investment in my office allows me to experiment with new business ideas without having to worry about that part for each new business idea I have. It is a small perk, but like I said I pay handsomely for the privilege.

    Assuming you don't, you would be better off not collecting any sensitive consumer data (financial or otherwise) rather than rolling the dice and cleaning up the mess later.
    {{ DiscussionBoard.errors[9823272].message }}
  • I would recommend InstaMember - The Ultimate Wordpress Membership Plugin because they have a built in dashboard which shows you tons of analytics.

    However I'm unable to speak on the security of their plugin because these days online - nothing is safe, and anyone can hack into anything online.

    Insta-member provides you real time stats of who's logged in, new members, ip addresses, and a few other cool data points.

    I use them personally for a few of my membership sites as well.

    All the best,
    Michael
    {{ DiscussionBoard.errors[9823496].message }}
  • Profile picture of the author nizamkhan
    You can also check out sitemanpro.com, it's a hosted membership and site building platform.

    - Nizam
    {{ DiscussionBoard.errors[9824030].message }}
  • Profile picture of the author agmccall
    What data do you really have on that membership site.

    You have their name, username, and password

    I do not think there is much to worry about

    al
    Signature

    "The problem with the rat race is that even if you win you're still a rat." ~Lilly Tomlin~

    {{ DiscussionBoard.errors[9824070].message }}

Trending Topics