Thoughts on PPC Data Security
Prestozon is the most secure Amazon PPC tool out there. We spent a lot of effort making it so secure, and this post explains why.
Entrusting your PPC advertising data to anyone should be a carefully considered decision.
You’ve already invested a lot — you researched your market, created a great listing, and invested time and money to create successful products and campaigns. It’s a very good idea to make sure your data stays in safe hands.
As Amazon gets more competitive, the risk of someone stealing your product ideas is rising. Monetization of PPC data is becoming more lucrative and your data is becoming more interesting for malicious players.
What to Look for
Be sure to check that your software follows these best practices:
- Encrypted transmissions of data
- Make sure HTTPS (using a recent TLS protocol version) is always used everywhere.
- Secure account authentication
- Ideally, using Single-Sign-On through a trusted service like Google, Facebook, Amazon etc.
- If you create your own passwords, look for strong password requirements.
- Session timeouts, meaning you have to log in again after being idle. This will significantly reduce the risk of your session being highjacked.
- Secure password recovery
- Automated password recovery (no human support involved)
- No manual resetting of password to something easily-guessable like “password”.
- Sound crazy? We agree. But this is how some prominent PPC tools handle it today. Be careful out there.
Here are two other good policies all software providers should demonstrate when dealing with customer data:
- Never asks for your credentials or password.
- Your password is not secure if you email it, especially emailing to an unknown group of people.
- We noticed that one of our competitors does this in their support channel and we alerted them to the issue. You should be concerned if the below ever happens to you, as it demonstrates very poor security practices.
- They do not access your PPC data without your consent
- Red flag: If they mention a campaign name or product without you having already given it to them.
Good Questions to Ask
Ask your vendor how they handle security. Specifically, make sure if they have good answers to these questions:
- How they encrypt passwords (if they require their own username/password – Prestozon does not)
- How and where they store your data
- Is the data encrypted? If so, how access is controlled?
- If they follow best practices like OWASP Top 10 – https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Prestozon’s Security Measures
We believe Amazon sellers have a right to know exactly how their data is being handled. Here are just some of the security measures we employ to ensure that your data is secure:
- All traffic in and out of Prestozon (as well as between different software components like our backend databases, microservices, Amazon’s APIs) is encrypted using industry best practices.
- This includes TLS 1.2 with PFS algorithms (“perfect forward secrecy” – Wikipedia).
- Hackers can’t pretend to be a trusted source and gain access to our backend data. This is a common security issue.
- Technically speaking: All of our internal software components require authentication between each other and use TLS certificate-based trust protocols to ensure that all requests can be authorized and attributed to the user that made it.
- Instead of requiring you to create a separate Prestozon account with yet another password you’d need to remember and store somewhere, we are using “Login with Amazon” (http://login.amazon.com/).
- This allows you to quickly link your existing Amazon Seller Central account and securely access your data, knowing that we will never see or store your credentials. You already trust Amazon with your credentials, and that’s all you need here.
- We can’t log in with your Amazon credentials, nor can we see any data you didn’t explicitly grant access to.
- All PPC data is compartmentalized by Account into different shards in our databases on a per-seller-account basis.
- This allows us to put strict access controls in place to ensure that user data does not leak between accounts and cannot be accessed by unauthorized requests.
- Again, this is a common weakness for hackers to get your data.
A Quick Note on Privacy
We take your privacy very seriously and will never look at your data directly, unless you ask us to in a support request. That includes limiting our internal logging to random identifiers (UUIDs) to avoid making your keyword or product data visible even to our team members.
About the Author
Prestozon co-founder Christian Hang-Hicks spend 5 years at a software security firm whose job it was to find security flaws. With this background, Chris ensures Prestozon is secure.