Shopify and BigCommerce Security: 7 Steps to Protecting Your eCommerce Business from Disaster
In the world of ecommerce and the internet today, cyber-security sometimes gets taken for granted. Cloud-hosted ecommerce platforms like Shopify Plus and BigCommerce Enterprise for small and large global brands have taken away the burden of set up, PCI compliance, high-risk security, and stability. Brands are now able to focus much more on their product, their business, and their marketing and less on maintaining and building their ecommerce platforms. That’s all great, but often the result is that many ecommerce businesses do not spend a minute worrying about the security of their store and their customer data.
When ecommerce platforms were built from scratch, security was at the forefront of every ecommerce manager’s mind because it all depended on you. But now that cloud-hosted platforms handle security, it flies under the radar.
This is a mistake. Even though your ecommerce platform may handle PCI compliance and take responsibility for payment security, you’re still vulnerable and you still need to protect your business.
We’re not going to cover all of the nitty gritty of how hackers can still get into your site and steal your data. But it’s important to note that if you aren’t intentional about security on your ecommerce store, your site (and your business) are extremely vulnerable.
We aren’t cyber-security experts, and the majority of vulnerabilities actually aren’t very technical. But we do work with and manage several global ecommerce brands and help advise them on their vulnerabilities. So, here are the common sense areas that often go unnoticed where you should be thinking about security on your site.
Why is ecommerce cyber-security so important?
Hopefully this is just a rhetorical question for you. You have customers and when they shop on your site, they are trusting you with their information. It is your responsibility to protect those customers and their data.
These days customers are much more trusting than they used to be, since online buying is pretty much the norm for everyone, so there is an even greater responsibility on you as a brand.
Having good cyber-security also protects your business from a revenue perspective. The last thing you want is your business getting cut off by the knees due to some security issue that could have been prevented. When events happen, the loss of brand trust can be much more damaging than the event itself.
So, be smart about your security. Just because ecommerce is “easy” these days doesn’t mean the basics of security and responsibility to your customer go out the window.
What are the general security concerns when running an ecommerce store?
Most would agree that first and foremost, the concern is protecting credit card and payment information.
However, it doesn’t stop there. With increasing rules and regulations, there is now a higher standard for protecting general customer data now from contact information down to buying behavior with the passing of GDPR and CCPA. With this increasing focus on protecting customer data, it’s important to be aware of the general risks, and know who’s ultimately responsible for securing this data.
NOTE: This isn’t a post with legal advice. You should of course consult with your lawyer about your specific situations, but this is meant to give you a general overview of what to be aware of and thinking about.
How can you protect against security breaches and issues?
1. Be Knowledgeable
It is so easy to set up a basic ecommerce site today. That also means it’s easy not to understand what all is going on behind the scenes of your store, especially when it comes to understanding how the data is flowing. It is your responsibility to know what’s going on under the hood of your ecommerce store. If you don’t understand these basics, you’re going to be vulnerable to security breaches.
2. Use a 3rd Party Platform for Ecommerce
Use a cloud-hosted ecommerce platform, like Shopify Plus or BigCommerce Enterprise, to build your store that handles security and scalability. This offloads PCI compliance so that you don’t have to take on the full burden of receiving and securing payment information. We talk a lot more about the benefits of using a cloud-hosted 3rd party ecommerce platform here.
3. Don’t Hack to Customize
One of the reported downsides of most 3rd party ecommerce platforms is that they limit customization, especially when it comes to the checkout. You might be tempted to hack your own checkout in order to be able to customize it. Simply put, don’t. The very reason why they are secure and stable is that they limit where you can customize. That being said, you can customize a lot and if you are butting up against the boundaries of what is possible, there’s a good chance you might be walking down the wrong path.
On standard Shopify, you cannot make any customizations to the checkout. This is intentional to ensure the security of the checkout process. With Shopify Plus, you have some access to customize the checkout, but there are still some limits for this same reason.
Don’t try to hack around this to make more customizations than are possible within the platform. You are only opening up holes in your security that could be detrimental to your business.
4. Use Well-Known 3rd Party Apps for Data Storage
Your ecommerce platform likely won’t be the only 3rd party platform that you’ll use when setting up your store. At the very least, you will have an email marketing platform that also stores customer data. Vet these email marketing platforms (and other 3rd party platforms) to make sure that they take security seriously, especially when data is being passed back and forth between platforms.
5. Use Reputable Apps
This is a big one. Along the same lines as other 3rd party platforms, you will likely add functionality to your site through apps. One of the great benefits of Shopify is their active app community. You can find an app for almost any business need you might have. But beware.
Don’t just install any and every app that looks interesting. All of these apps will have some level of access to your data, and some specifically to your customer data. So vet these apps as you would any other platform, stick with well reviewed apps with a strong history, and limit the number that you install.
For this reason, in addition to the great performance of their apps, we often recommend apps by very reputable developers like the Bold apps. They are a longtime Shopify Partner with a strong history in both performance and security.
This is key when thinking through your site security, because it may not be your site that gets hacked. It could be one of the 3rd party platforms or apps that you use that gets breached, but ultimately you are responsible.
6. Minimize Store Logins and Limit Access
That urge you may have to give everyone in your company access to the store should be denied. Give people access on a need-to-know basis. This is both for their safety and your company’s. Only give logins to your store to essential personnel and partners, and limit access to what is essential to do their job. Many stores give full access to their store to everyone on their team and many outside partners. Every store login is a potential for a weak password and entry into your site, so be cautious about these giving these out.
Also, make sure to go through and remove employees and partners that no longer work with you. This might sound like a no-brainer but often gets missed.
7. Build Trust with Your Customers
Finally, let your customers know that you take security seriously. This is important in order to build trust with your customers so that they are ready and willing to give you their credit card information. Currently, online shoppers aren’t responsible if their credit card data is stolen, but this may be changing in the near future, so the customers perception of security will become even more important.