Home > BigCommerce > Docs > Is BigCommerce Safe? How BigCommerce helps secure your business

Is BigCommerce Safe? How BigCommerce helps secure your business

Last updated: July 01, 2024
This article has been written and researched by our expert Avada through a precise methodology. Learn more about our methodology





As you start your online business, you need to be aware of the fact that eCommerce sites are usually a hotspot target for cyberattacks. As for would-be thieves, eCommerce sites are treasure data because of stealing personal and financial information easily. Everything on the Internet is not always totally secure and threatened at any time.

E-commerce business owners get a hold of themselves about these issues, which have been increasing rapidly in recent years. According to VMware Carbon Black 2020 Cyber Security Outlook Report, more than three-quarters of businesses participating had purchased security products last year. Moreover, the security staff rate had elevated significantly, by 69%, which apparently becomes one of the top moneymaker jobs.

In this article, we together find out the answer for the question: Is BigCommerce safe? by getting information about BigCommerce security - the biggest security threats, and finally, what BigCommerce helps your store be safe.

Without further ado, let’s dive into reading right now!

Overview of BigCommerce

What is the BigCommerce platform?

Before knowing the basic information about security, we would like to give you an overview of the BigCommerce platform for some people who just started running an online store in BigCommerce or are in the process of choosing a website builder for your business.

BigCommerce platform

BigCommerce is a “software as a service” (SaaS) tool that supports building an online store conveniently in a short time and without an extensive budget for a web developer. It allows you to sell products that are either digital or physical online, having a wide variety of retailers in all sizes: small, medium, or large businesses.

Since both products run in a web browser, which means that you can manage your store anywhere with the Internet nearby, and no installation on desktop and laptop is necessary. The outstanding plus of BigCommerce is that you use it without forcing design or coding anything. All you have to do is picking paid or free templates as your store theme, uploading your products, setting prices, and the rest of the thing is for BigCommerce to operate on behalf of you.

There are several advantages when using the BigCommerce platform, we can see. Then after starting your store provided by BigCommerce, what is your next concern? Most people would say “Security” as one of their concerns, so let’s move on to the next question, “What is BigCommerce security?” to figure it out!

What is eCommerce security?

For all-sized businesses, the cost of a breach both in loss of data and customer confidence can be significantly detrimental. The more alarming fact, moreover, is that all cyber-attackers target small and medium-sized businesses. Therefore, eCommerce security is a must for any online store, especially for newbie owners.

eCommerce security

E-Commerce security refers to the solutions taken to protect your business as well as your customers against cyber threats. Basically, security products look like “a vaccine” for online businesses, preventing them from cyber-viruses. They focus on maintaining safe and secure electronic transactions to purchase and sell goods or services over the website. As a result, several protocols are placed to assure the security and protection of those engaged with the online transaction.

eCommerce security

If you do not install eCommerce security, not only will the financial consequences be damaged considerably, but a breach can harm your store’s reputation as well. Customers are reluctant to continue shopping at the online store that has put their confidential information at risk.

How is Compliance different from Security?

The concepts of compliance and cyber-security are often utilized interchangeably - in some perspectives, they are related. But there are some crucial differences to find out that you still need to install security products. Because of that, setting up GDPR Compliance for BigCommerce is not enough to protect your online store, which is at high risk of being attacked by hackers.

Firstly, Compliance is the ability to meet specific standards set out by governments or private institutions. In addition, there can be legal repercussions for not complying. Having mentioned above, meeting those standards does not necessarily mean your eCommerce web is full of safety. There are several cybersecurity regulations that businesses may be required to meet; however, we only show you the auto-setting compliance for BigCommerce: GDPR.


GDPR (General Data Protection Regulation) is a law in the EU to ensure the European Economic Area (EEA) protection in terms of citizens’ personal data and privacy. Noticeably, it does not just apply to businesses in the EU. GDPR is a must for any online stores which sell products internationally to any European people when you collect any of their data.

Common terminologies in BigCommerce security

Now it’s time to look at some common academic terms relating to eCommerce security to understand if you come across these as installing security products.



The Payment Card Industry Data Security Standard (PCI/DSS) refers to an information standard for organizations that handle credit cards collected online which are stored and transmitted in a safe manner.

PCI standard is authorized by the card brands but generally administered by the Payment Card Industry Security Standards Council. This standard is applied to increase controls around cardholder data to reduce credit card fraud. Validation of compliance is demonstrated quarterly or annually through the method matches with the volume of transactions handled; or in another way, the size of your store:

  • Self-Assessment Questionnaire (SAQ) - small volumes
  • Qualified Security Assessor (QSA) - moderate volumes (include an AOC (Attestation on Compliance))
  • Firm-specific Internal Security Assessor (ISA) - large volumes (include ROC (Report on Compliance))

2. ISO

ISO (International Organization for Standardization) is an international standard-setting body that creates requirements guiding businesses in order to ensure their operations are fit for purpose. One of their standards, ISO/IEC 27001:2013 provides data security and as for BigCommerce, it was ecstatic to receive this certification containing many benefits.


Achieving this certification indicates a business has a couple of interests such as:

  • High-quality management systems

  • Data security

  • Payment security

  • Risk aversion strategies

  • Standardized business practices

3. Personal data

Personal data or private information is any data that can be linked to a specific individual - simply includes names, email addresses, and phone numbers. However, it actually gets a little bit more complex than you think. Any data set that even names or numbers can identify a particular person is also considered as personal data. Therefore, protecting private information is really important as it comes to data privacy regulations such as GDPR Compliance.

4. Transport Layer Security (TLS), Secure Sockets Layer (SSL), and HTTPS authentication

SSL (Secure Sockets Layer) is sensitive data protection using encryption tools in order to secure your website as well as a browser. SSL certificate no longer develops, so it is now known as TLS certificate instead. Using TLS helps authenticate and encrypt links between networked computers during “package” transmission from hyperlinks (package is a part of personal data). You can acknowledge whether that website is secure or not by looking at the icon of the URL on the bar tab.


Once you have an SSL/TLS certificate for your eCommerce site, you can move from HTTP to HTTPs - an expandable version of HTTP, which serves as a trust signal to customers that your site is safe.

5. Multi-factor authentication (MFA), 2-factor authentication (2FA), or 2-step verification (2SV)

Three of these terms are sometimes interchanged since they are similar, but there are differences among them. When you enter a username and password, all of their methods require at least one further step of identity verification to surely log in to a site.

Here is a detailed explanation of the differences:

2SV requires the users to enter a one-time code, delivered via an email, text message, or phone call.


2FA requires the users to acknowledge their login attempt through another device like opening a specific app on a mobile device while logging in from a laptop.


MFA, similar to 2FA, refers to the implementation of more than two factors of authentication.


Because DDoS comes from many sources, they are challenging to stop, especially as more and more smart devices come online.

The biggest security threats to eCommerce sites

1. DDoS


A DDoS attack is a disruption of loading server, service, or network traffic with a flood of traffic. Simply, it takes down your eCommerce site by overwhelming your server with hundreds, thousand of requests from IP addresses. These IP addresses have been compromised by malware, leading to slow performance, offline site temporarily, which blocks customers out of your store. Because DDoS comes from many sources, they are challenging to stop, especially as more and more smart devices come online.

2. Malware and ransomware


Malicious software or Malware occurs when attackers enter your website containing viruses, worms, or trojans. As for ransomware, it is a type of malware, locking the victim out of their system or preventing access to data until a ransom is paid to the attacker. We give you some symptoms you may experience in your store:

  • Link is transferred to the wrong destination.

  • New toolbars or buttons appear in the browser, or new icons are on your desktop.

  • System is slow and repeatedly crashes, or the browser freezes frequently and is unresponsive.

  • Advertising pop-ups on your website.

  • Emails keep bouncing.

As your website is infected by malware or ransomware, you will lose important data, and the backups of site data are very expensive. By not clicking on suspicious links or installing unauthorized software on a computer, you can be protected against attacks.

3. Phishing

Phishing is the method used by attackers to “trick” the victims, typically via email, text, or phone to require them to provide private information. It comes in emails that have been disguised to look like it’s coming from someone you know or from a reputable company. These emails often contain a link - if you click on - stealing information or installing malware on your device.


To BigCommerce, they confirm that they never send customers an email with a link to update your store or login credentials. If you receive emails like that, you have to know it wasn’t from BigCommerce and don’t enter the link.

4. SQL injection

SQL injection

If your eCommerce site unsafely stores data in a SQL database, your web may be in danger. When the SQL is not validated, a malicious SQL query is injected into a packaged payload. It can give the attacker an access to either view, delete or manipulate data in a database by creating an administrator account themselves for full control via the back-end.

5. Cross-site scripting (XSS)

It involves inserting a piece of malicious code, typically JavaScript, into a web. It would impact the users - your shoppers - exposing them to malware, phishing, and others.


6. E-skimming

E-skimming refers to a method of stealing credit card information or personal data from payment card processing on eCommerce sites. The attackers have access to your site via a successful phishing attempt, XSS, or third-party compromise. Then, they capture real-time payment information as your shoppers come to the checkout process.


How BigCommerce helps secure your business

BigCommerce security

BigCommerce customer security

As for BigCommerce, it provides a secure shopping experience for the customers by keeping their security of the system up-to-date with the best practices.

Moreover, BigCommerce supports customer security by facilitating the Payment Card Industry Data Security Standard (PCI/DSS) - an information security standard that organizations must stick to when handling credit card and debit card information. This creates the standards to protect cardholder data used for online payments. BigCommerce is certificated level 1 PCI/DSS compliant, containing 6 segments of its standards:

  • Maintain a secure network

  • Maintain a vulnerability management program

  • Monitor and test networks

  • Protect cardholder data

  • Implement strong access control measures

  • Maintain an information security policy

This compliance is applied to all online stores powered by BigCommerce platform.

BigCommerce account security

In terms of account security, the best way to approach data security for a cloud-based tool like BigCommerce is the “Shared Responsibility”. It means that your stored data security is in charge of both you - an account owner and BigCommerce. BigCommerce takes care of the software, infrastructure, and disaster recovery of the entire platform. As for you, you are responsible for secure password, permissions given to the users and third-party apps, and backups of the data you put into your store account.

Fortunately, Web app providers have their own security team who is dedicated to the platform’s service availability. They ensure the infrastructure will not fail and always maintain 99% availability all the time. This is one of the most beneficial things you’re right to use a managed service like BigCommerce.

For instance, if your data are infected by malware, the security team will recover the entire platform to the last backup. You will experience some minutes of downtime or even none, depending on how fast the team can react to the situation. However, the backups cannot recover a single account back to a previous point in time but only recover a part of your data. To solve this problem, BigCommerce recommends you use a CSV export of your data as one method of backups, or you can copy the data and insert it into a hard drive such as USB sticks.

What you can do to protect your store

In the last stage, we want you to know what you can do to prevent your store from a data breach beside the support of BigCommerce.

1. Require customers to have strong, unique passwords

Strong passwords are at least 8 characters, including upper and lowercase letters, numbers, and symbols. The user password must be a private username or his/her own unique name.


The users should not use the same password which you use for your eCommerce site for other credentials. Finally, never share sensitive information like date of birth, social security number, and other answers to private questions.

2. Protect your devices

Wherever you have one computer at home or office, make sure that your connected devices are cyber secure with anti-virus software, firewalls, or other appropriate methods of protecting against the breach. Such tools can easily find viruses and remove them

3. Implement additional authentication factors

It is a good start to install authentication factors when you begin running the online store. It’s worth spending money because using 2SV, 2FA, or MFA gives you further assurance that only you and your authorized users log into your store.

4. Switch to HTTPS


HTTPS hosting will strengthen your security store since it requires an SSL/TLS certificate before updating from HTTP to HTTPS. Moreover, Google penalizes websites with HTTP in organic search rankings when users search for your store on the search engine tool. Thus, HTTPS sends a reliable signal to your potential shoppers to purchase in your store.

5. Back up your data

Backing up your data prevents customer data from a loss due to the attackers. If you lose access to your data, backup helps you get your business running as quickly as possible.

6. Do a pre-holiday security check

The holiday season is the time people purchase online, the cyber-attackers work actively, taking advantage of this good hunt. Retailers prepare in advance by conducting a thorough security checking: malware in point-of-sale systems and the security of web servers.

7. Prepare your customer service team

If you have a moderate or large business working with many staff, you should get them trained, avoiding being victims of cyber-attackers. Furthermore, you and your team need to have a clear process for verifying the identity of the customers who request any changes to their accounts or orders.


We can see that the frequency and sophistication of cyber-attackers has skyrocketed along with the rapid speed of technological growth in recent years. To answer if BigCommerce is safe via what they do to secure eCommerce stores, our answer is yes.

However, in this constant game of cat and mouse, while the retailers add more innovative technologies to protect their sites, cyber-attackers equally hone hacking skills as well as keep finding new vulnerabilities to exploit data. Therefore, the best way to stay ahead is to be aware of eCommerce security best practices following some tips we gave you above. Additionally, you can update the types of attacks to watch out for any signals of an infected website; from that, you protect your store as much as you can.

We hope that this article is helpful for you to go through all information relating to eCommerce security. Feel free to leave a comment if you are still ambiguous!

Sam Nguyen is the CEO and founder of Avada Commerce, an e-commerce solution provider headquartered in Singapore. He is an expert on the Shopify e-commerce platform for online stores and retail point-of-sale systems. Sam loves talking about e-commerce and he aims to help over a million online businesses grow and thrive.

Stay in the know

Get special offers on the latest news from AVADA.