How Secure are Online Membership Systems?
If you’re asking this question, you’re clearly on the right track to ensuring your club’s membership data is protected. The reality is, all online systems are being attacked every second of every day, so ensuring you choose the right online system with an appropriate level of security is of critical importance.
Now, generally speaking, almost all clubs store members' personal information like names, addresses, and contact details. Some clubs may store additional information, like more personally sensitive information, and some may store less. In all of these cases, there are some security fundamentals that you will want to check off with any online membership system provider. These are namely:
Network and Server Security
OWASP Top 10 Protection.
Online Membership System Security
User Access Controls.
Webpage Access Controls.
Module Access Controls.
Password and Authentication Requirements.
Email Authorisation and Security.
Payment Provider Integration.
Online Membership System Provider Security
Who in the club can contact the online provider’s support team.
Hosting Partner Security.
Each of these security technologies and systems complements the next and when united together they all aim to deliver a high level of security and service to ensure your online membership system is secure and only those who require privileged access are allowed.
What does each of these technologies do?
Network and server protection
SSL Certificates secure the traffic between a member and your online system. This ensures that when they are accessing their account, renewing their membership, or purchasing a ticket to an event, all that communication is encrypted. This means a bad person can’t intercept that traffic and steal their details or worse.
DDoS Protection helps prevent a Distributed Denial of Service attack. Basically, this is an attack where someone tries to take down your online membership system by flooding it with traffic or other specific network attacks. Ensuring your online membership system provider has this protection in their network will minimise downtime from these kinds of attacks.
Open Web Application Security Project “OWASP” Top 10 Protection helps block specific attacks in real time. This is a super important piece of security since it blocks the top 10 attack styles. Generally, this system should block bad requests before they reach your online membership system.
Firewall Protection is another key component of security as this blocks all traffic and only allows traffic on specific ports. This system works complimentary to the OWASP protection mentioned above.
Online Membership System Security
Member Access Controls restrict what areas members (a.k.a. users) are allowed to access in your online membership system. It’s no good having the best network and server security if you can’t stop members from accessing your private data! Ideally, members are only allowed to access and modify their own data. Membership coordinators should be able to access and manage all member data. Site owners are the only ones who should have complete access to the system.
Webpage Access Controls allow you to restrict publicly viewable areas of your online membership system. A great example of this is a ‘members’ only area’ where members can access privileged information like committee members’ contact information or private events for the club.
Module Access Controls are similar in effect to Webpage Access Controls but they restrict access to the various modules your online membership system may use. An example of this is that you may publish a blog, an event, or sell merchandise. Each of these modules’ access should be restricted to only those who need access to perform the required task.
Password and Authentication Requirements enforce how passwords are stored and used throughout the system. A great system will use one-way password encryption to ensure if there is a breach and passwords are stolen they cannot be unencrypted.
A second awesome technology is the use of Two-Factor Authentication a.k.a. 2FA. This adds another layer to user security as two means of authenticating are required. For example, when a user logs in they are then sent a one-time code to their mobile device, which they then input to pass the login.
Other password controls that help are complexity requirements, like, the password must use upper and lower case letters along with numbers and special characters. This ensures basic passwords can’t be used, which are all too common. Another great requirement in this regard is also enforcing a minimum password length. The longer the password, the better.
Email Authorisation and Security these days is incredibly important as spam is so prevalent and maintaining a good email sending reputation is critical to ensuring important emails like member renewal notices and event ticket purchase information lands in the member’s inbox and not in their spam folder. The three main technologies used here are SPF, DKIM, and DMARC. All three work together to ensure the best chance of email delivery. For more details on these technologies, please see our article on Email Delivery Best Practice.
A great online membership system will have this trio implemented off-the-shelf. In cases where you, as a customer, would like to use your own email domain for sending critical system emails, make sure your online membership system provider can implement these same technologies on your email domain to keep you compliant and ensure the best chance of inbox delivery.
Payment Provider Integration. Make sure your online membership system integrates directly with a reputable online payment provider like Stripe, Paypal or Braintree. These payment providers are all compliant with PCI DSS and store your credit card information securely. The online membership system itself should never store your credit card information and should only manage payment by way of a token that talks to a reputable online payment provider.
Online Membership System Provider Security
Who in the club can contact the online provider’s support team? The company providing your online membership system also has access to your membership data. The most common security risks here are what’s called “phishing attacks” where a person contacts your online membership system provider and pretends to be someone who has privileged access, when in fact, they do not. Your online membership system provider should only handle support requests for people authorised by your club.
Hosting Partner Security. Many online membership systems these days are provided as a Software as a Service platform a.k.a. SaaS, meaning, you don’t need to worry about finding a suitable web hosting provider as that is taken care of as part of their service. What is worth checking here is that their underlying hosting infrastructure covers off the points outlined in Network and Server Protection above.
For online membership systems you host yourself, it is important to ensure you choose a hosting provider who meets the security points outlined above in Network and Server Protection.
Hopefully, this information will help you make the best choice when it comes to choosing an online membership system. Some providers will offer greater security than others, but it is ultimately up to you to decide on the best level of security for your club.
How does Member Jungle protect your data?
21st October 2022
With the latest data breaches at Optus Telecommunications and MediBank in Australia,... more
What are Member Jungle Gateway Fees
14th September 2022
What are Member Jungle Gateway fees?
Member Jungle offers all Australian customers the opportunity to process online payments for membership, events, online store and online courses using... more
Why do members need to update the Member Jungle app?
5th September 2022
Why does Member Jungle update the Member Jungle App?
There are 5 main reasons that we perform app updates.
1. Bug Fixes
We do our best to make the Member Jungle App... more