Shopify Security – How Secure is Shopify and Shopify Plus?
Shopify security 2019 update. Wondering how secure Shopify or Shopify Plus is? Need to get answers on platform security?Asking how Shopify stands up against Woocommerce, Magento and Squarespace?This article is for you.In it we’re going to address the main issues around ecommerce security and how Shopify addresses them.
An Overview of Shopify
Shopify is a hosted SAAS service used by over 600k merchants worldwide and has firmly established itself as the leading SAAS platform in the world.Our developers have consistently rated Shopify the Best Ecommerce Platform of the Year for five years in a row in terms of functionality and scalability.
But how secure is Shopify?Before we get to that let’s take a look under the hood at what makes an ecommerce site secure in general and then we’ll move onto how Shopify deals with this and some of the common pitfalls which merchants fall into with security.
The 5 Challenges of eCommerce Security
First it’s important to establish what it is that makes a website secure?More specifically let’s look at what it is that makes an ecommerce website secure.And then after we’ll take a look to see how Shopify stands up to these.
There are 3 things important things we need to look at when thinking about ecommerce security:
Credit card data.First and foremost comes payment security.When your customer pays you, they usually enter a form of payment like a credit card number.On a typical store over 50% will be via credit card alone.Tokenised payment gateways don’t capture the credit card data on your server but many payment gateways still require credit card data to touch the server.In these cases it’s vital that the server managing the transactions is fully secure and PCI compliant so that customers can shop securely.If your customers have their credit card data stolen from your website you will not only lose them as a customer forever but you could also potentially face legal action.Not to mention the brand damage.Many brands have been put out of business by payment data breaches like this.It’s one thing for people to get their name and email address stolen – but it’s a whole other thing when credit card data is stolen and money goes missing.
Customer data. In addition to capturing credit and debit cards you also capture a lot of data about your customers during their checkout. This data is usually stored in a database.Data fields like name, address, email address, products ordered, passwords etc.As a store owner you should always be asking yourself: Is your customer data secure?Are you securely storing customer data in line with the laws in your country?It doesn’t mater where you live in the world – every country has data protection laws which you as a business owner need to comply with.The recent addition of GDPR has added further complexities in this field for those trading within the EU.Failure to keep your customer data secure will lead to legal action and fines.
Fraud protection.Can people easily place fraudulent orders with your store undetected?If they can (and it is quite easy and common) you’ll be losing money hand over fist because most successful stores don’t have time to manually review all orders.Once fraudsters get wind of an easy target they’ll hit you hard and fast – sometimes putting merchants into the red for weeks before the fraud is detected.It really depends on your industry here as some products are much more prone to fraud than others.But you absolutely need to have measures in place to deal with potentially fraudulent transactions.Without it – your business will be exposed to risks.
SSL. SSL is essential these days. Is the content and all scripts on your website served over SSL?Not only is this a basic requirement for taking payments securely but it also stops malicious external scripts from doing things to your website or to the browsers of your customers.SSL is absolutely essential these days on every page on your website.Yet I’m still seeing many sites without it – some of them capturing payment details in a highly insecure way.
Admin Security. Is the admin area of your website secure?Are there measures in place to stop brute force attacks?If someone gains access to your store admin account they will have access to everything and will even be able to take control of the entire website.And trust me – if you do well online then you will be the target of hacking attempts.It’s guaranteed and part of the process.
So there are 5 main security points we need to think of when assessing a suitable platform.Is the credit card data secure?Is the customer data secure?Are there fraud protection measures in place to stop or flag suspicious transactions?Is everything served over SSL?Is the admin area secure?Let’s take a deeper look at how Shopify manages all of these things.
1. How Secure is Shopify for Credit Card Processing?
Shopify is PCI level 1 compliant for credit card processing which means that it adheres to the highest standards of server compliance.That’s hard to beat.It has the highest standards in the world on payment processing.You can read more about Shopify’s PCI compliance here.
This is one of the main benefits of Shopify vs self hosted solutions.If you wanted to manage your own server with Magento or Woocommerce – that alone would cost you thousands (minimum) every year in compliance costs.That’s to do it properly – which most people don’t.
Shopify is PCI compliant from day one without you doing anything or spending a single cent.It’s always PCI compliant and fully secure for payment processing.So you can accept payments without thinking about credit card security.
Some merchants get annoyed with Shopify as a platform as you can’t modify the checkout too much (light branding is possible on lower plans and full customisation on higher plans).Security is the reason for this though and it’s totally justified.If people can add code to the checkout – it becomes insecure and data can be skimmed easily.This is the main reason why Shopify doesn’t allow you to modify the checkout unless you’re a Shopify Plus customer (highest level).
2. How Secure is Shopify for Customer Data?
Shopify has introduced a number of measures to secure customer data in the past years – even more so since the introduction of GDPR within Europe.These measures include: limiting the login attempts and ensuring app developers only have access to the data they need to run the apps to avoid data being leaked.
Customer data is very secure on Shopify.The only times we’ve seen customer data lost on a Shopify store is via a 3rd party (unofficial) app.Obviously – if you grant a 3rd party app full access to the store backend via the API it will have access to all data.The customer data is 100% secure within Shopify’s ecosystem.
3. How secure is Shopify for Fraud Protection?
Shopify has an excellent fraud prevention system to flag potentially fraudulent orders so that you can manually review them before processing.You can set your orders to be manually fulfilled or automatically fulfilled so you have complete control over the whole setup.And orders which are flagged as suspicious can be investigated before being dispatched.
Orders that get flagged typically have an address mismatch (e.g. order processed for delivery to Indonesia with credit card registered in Maine) or multiple attempts of different cards (a classic fraud where they try different cards until they find one that works).Additionally there are some apps which will help with fraud prevention if the Shopify core functionality isn’t sufficient for you (it is for most people).
4. Does Shopify have SSL?
Yes.All Shopify stores are issued with SSL throughout and so long as you aren’t loading any insecure scripts you’ll have SSL working throughout the store in a couple of clicks.The SSL certificate is included in your monthly Shopify fees and there’s no addition costs involved.
5. Admin Security
Shopify has a secure back-end which offers a user privilege system. The account owner can send out staff accounts with different privilege levels.To protect the admin and staff accounts from brute force attempts then Shopify have some security steps to authenticate and block access.A brute force attempt to access the admin would not be possible as it would take thousands of years.
What are the Most Common Security Issues on Shopify
We’ve been Shopify experts since 2014 and working with the platform for a lot longer than this (around 10 years in total).In this time we’ve seen very few security issues around the platform.In fact we’ve seen no security issues around the core platform which is astonishing considering the fact that many self hosted ecommerce sites on Magento and Woocomerce have had serious security issues and vulnerabilities in this time.This is one of the main reasons why most clients have migrated to Shopify.
The main security issues we’ve seen are not due to Shopify but due to merchants making mistakes.The most common security mistakes on Shopify are:
Setting insecure staff and admin access passwords.A website is only as secure as the password for the admin and brute force attacks (where a bot tries to guess the password) were common a while ago.Shopify launched a protection mechanism against this which will ward off most automated attempts but the security of a store is still only as secure as the password.So you must set a secure password and only share it with people who absolutely need it.
Shopify Security Tip: your admin and all staff passwords should be a random selection of 10-12 letters, numbers and characters.It should never be used on another platform.The admin password should never be shared electronically.
Granting private app access to the whole store.Private apps are an optional way for developers to add extended functionality and integrations to a store.Whilst they are generally used for non-malicious purposes – a hacker with access to an app server would be able to access the whole store and modify it as they wished. This is something store owners do not often realise.In granting API access an app can access all customer data – but not credit card data.
Shopify Security Tip: only grant private app access to official Shopify experts who are bound by the API terms of service. Only grant access which the app absolutely requires and if a service is no longer required then you should delete the private app.API keys should always be sent via different sources to the password and never exposed in the source code together.Remember when creating private apps with full access you are giving that app full control over your store.Only do this if it is absolutely required and the developer you work with is an official Shopify expert.
Conclusion on Shopify Security
Shopify is a highly secure SAAS platform and far, far more secure that Magento and Woocommerce (self hosted). It is PCI level one compliant and they have a team of people dedicated to platform security.You won’t find that level of security on another ecommerce platform right now.
You can see how important security is to Shopify when you look at their hiring pages. Shopify are hiring quite aggressively for eCommerce security and possibly have the best team in the world right now.