Last updated - November 21, 2022
What is BigCommerce?
BigCommerce is an eCommerce solution that lets you build a digital store and sell items online. BigCommerce is a hosted solution, so you don’t need to buy web hosting or other applications or infrastructure to use it. You can use it to sell physical and digital goods.
BigCommerce is primarily intended for users with little or no web development or design experience and has a user-friendly interface that makes it accessible to those without technical knowledge.
However, BigCommerce is also useful for technically advanced users who want to modify the HTML and CSS of their online store. BigCommerce includes a number of personalization models that can help you create the layout of your store. For reference, see how Shopify compares to BigCommerce.
What Security Features Does the BigCommerce Platform Offer?
BigCommerce Customer Security
BigCommerce provides its users with capabilities that ensure their online store visitors experience a safe shopping process.
When organizations process credit and debit card information, they must adhere to an information security standard called the Payment Card Industry Data Security Standard (PCI DSS). This standard was created to protect cardholder data used for online payments.
BigCommerce complies with all six categories of the PCI standard to demonstrate BigCommerce Level 1 PCI DSS compliance. This compliance applies to all BigCommerce online stores. The requirements include:
- Managing a network securely
- Vulnerability management program management
- Regularly monitoring and testing the network
- Implementing strong access control
- Maintaining an information security policy
BigCommerce Account Security
Cloud-based tools like BigCommerce use the principle of shared responsibility. This means that the security of the BigCommerce platform is the responsibility of BigCommerce, while the security of each user’s stored data is their responsibility. Specifically:
- BigCommerce provides security best practices, infrastructure, high availability, and disaster recovery for their platform.
- As a BigCommerce user, you are responsible for protecting your passwords, authorizing users and third-party applications, and backing up data you transfer into your BigCommerce store account.
For example, if your data is infected with malware, the BigCommerce security team will restore it to the latest backup. You might experience minutes of downtime or no downtime at all.
However, the backup may only recover part of your data, and cannot restore an account to a specific point in time. Therefore, BigCommerce recommends exporting your data using CSV and storing it locally or in another third-party location for recovery purposes.
5 BigCommerce Security Best Practices
1. Review Plugins to Prevent Zero-Day Attacks
Security vulnerabilities are constantly being discovered. When attackers identify a vulnerability, they attempt to exploit vulnerable sites—this is known as a zero day attack. This makes it critical to deploy security updates as soon as they are available. Luckily, when using a cloud-based eCommerce platform like BigCommerce, software updates are handled automatically for you.
However, third-party solutions running within your store can still make you vulnerable to attack. Before using plugins, check their rating and evaluate the plugin provider to see if they are trustworthy. Immediately remove plugins from your store if you are no longer using them, to reduce your attack surface.
2. Use Code Analysis Tools
Code audits examine the source code for bugs, errors, and areas that do not meet the quality standards set by the company. Code analysis is very important for BigCommerce stores because it can verify your custom code using web application security best practices.
Static Application Security Testing (SAST) tools analyze source code to find security vulnerabilities. SAST scans the application before compiling the code and allows developers to quickly fix issues in the early development stages.
SAST tools also graphically display detected issues, helping to navigate the code and identify the problem. It provides detailed instructions on how to troubleshoot and remediate the code, without requiring security expertise.
3. Implement API Security Testing
Many eCommerce API integrations are developed under time constraints, and there is not enough time to perform quality assurance and security testing. Defects are only discovered in production when they can have serious consequences.
When you integrate your back-end systems with the BigCommerce API, defects can produce a series of failures that can affect multiple other systems. Introducing software quality assurance at the early stages of the development process can reduce the stress of API maintenance and fixes in production, and can also prevent security breaches.
Introduce API security testing throughout your development lifecycle. One of the most sensitive points is accidental damage or misconfigurations caused by feature upgrades and bug fixes. The pressure to change and fix the platform frequently can lead to unexpected errors. The solution is to test all aspects of the system to make sure basic functionality is maintained and no security weaknesses are introduced.
It is very effective to perform “sanity checks”—attempting an upgrade or change to the software in a test environment and seeing if everything still works as usual. Sanity checks must be run on a QA mirror of the live site—the same one used to debug new releases of the API. This ensures, on the one hand, that the test is conducted in a realistic environment, but on the other hand, prevents any issues from affecting the production environment.
4. Implement Strong, Unique Passwords
Research shows that a high percentage of security breaches are caused by stolen or weak credentials. Security credentials are especially valuable in eCommerce stores like BigCommerce because they manage financial transactions. It’s worth making a special effort to ensure that you, your employees, and your customers follow strong password practices.
Put in place password policies that focus on the following principles:
- Strong passwords—with a minimum length and use of uppercase and lowercase letters, numbers, and symbols.
- No password sharing—passwords should be unique to each user, and should not duplicate a password used for another service or website.
- Password managers—encourage users to use password managers to help them remember complex passwords without having to reuse them or write them down.
- Personal information—educate users to never disclose sensitive information such as date of birth or social security number, because they can be used to answer security questions.
5. Prevent Social Engineering
Phishing is a very common cyber attack that can lead to malware infection and even complete compromise of a BigCommerce store.
To prevent phishing, do not provide any level of personal information unless you verify the identity of the recipient. Remember that legitimate organizations never ask a user to provide their password. Do not click on links in suspicious emails, and never download or open attachments from unknown sources.
Here are a few ways that can help you distinguish a phishing attempt from a legitimate email:
- Spelling or grammatical errors in the subject or body of an email may indicate a suspicious sender.
- Check the URL domain of the email sender and any links embedded in the email. Attackers often send emails that look like a familiar domain with a slight difference—for example bigcommerce.biz instead of bigcommerce.com.
- Look for unusual requests asking for actions like transferring money or providing credentials, and encourage you to take these actions immediately.
In this article, I explained the basics of BigCommerce security and provided five best practices that can help you secure your BigCommerce stores:
- Update BigCommerce plugins to prevent zero-day attacks
- Use code analysis tools to verify your custom code meets security requirements
- Implement API security testing to ensure your backend integrations are secure
- Enforce the use of strong, unique passwords, both for employees and customers
- Prevent social engineering by being aware of unusual or suspicious messages
I hope this will be useful as you improve your BigCommerce security posture.