While we constantly work to make the software as secure as possible, there are extra steps that store-owners must take to protect their data. We have divided the required actions into those on this page that need a 'site administrator,' another page (here) of ongoing security best practices for 'system administrators' and a page here of actions required at setup within the admin console.
Only under essential circumstances should you allow third parties to have access
Be thoughtful about the use of administrative accounts within your company. Only hand out administrative accounts to trusted members of staff and make it a default to NOT check the setting for 'can view credit card numbers'.
Have a policy in place for deleting administrative accounts immediately upon a change of staff, where a staff member who formerly had administrative access no longer needs that access.
Run monthly maintenance processes frequently (ignore the name of the process - run this daily, if your business practices require it).
Always use strong administrative passwords. Change these AT LEAST every 90 days - the application will prompt you.
AspDotNetStorefront is built to keep both you and your shoppers safe. If a shopper logs in, or begins to checkout, and then displays a period of inactivity of more than 15 minutes, then by default the application will log them out. Same is true for an administrator. These 'session timeouts' are definitely 'best practices' - we urge you not to change the settings.
Recurring orders are fabulous - but no store-owner wants to be calling their shoppers on every recurrence for payment details. You will therefore EITHER ask the shopper to let you store their credit card details or (RECOMMENDED) you will offset the storage by using a gateway. PayPal and Authorize.Net are both integrated into AspDotNetStorefront in such a way that you will be able to process payments at each recurrence without the need to store credit card information. Read more here.