E-commerce security — payment, PII, and fraud at scale
E-commerce security is payment + PII + fraud-defense. Most modern stacks use Stripe / Shopify Payments to offload card-handling; the remaining surface is account takeover, address enumeration, and checkout fraud.
Top security risks
Account takeover at checkout
Credential stuffing targeted at checkout flows to buy items with stolen cards. MFA + fraud signal integration.
Address-book enumeration
Checkout flows that return 'billing address matches' enable card-testing at scale.
Coupon / promo abuse
Attackers test coupon codes at volume; rate-limit coupon endpoints.
Shopify app supply-chain
Third-party Shopify apps run with broad permissions. Audit installed apps quarterly.
Regulatory context
PCI-DSS (SAQ A if using Stripe/Shopify Payments), GDPR (EU customers), CCPA, state data-breach notification laws.
Checklist
- Payment handling via Stripe / Shopify Payments — stay SAQ A
- MFA on customer accounts (or passkey)
- Rate limiting on checkout + coupon + login endpoints
- Fraud-detection (Stripe Radar / Shopify fraud filter)
- PII minimization — do not store what you do not need
- Audit installed Shopify apps quarterly
E-commerce does not usually face B2B security review — but PCI-DSS compliance documentation is requested by banks and payment processors annually.