Platform Trust Center

By focusing on providing the best user experience possible, BigCommerce has earned a trusted brand name. Unfortunately, unscrupulous people sometimes try to use the BigCommerce brand to scam and defraud others. Here are ways that you can avoid and report them.

GOLDEN RULES:

1. Slow it down - Scams are often designed to create a sense of urgency. Take time to ask questions and think it through.
2. Spot check - Do your research to double check the details you are getting. Does what they’re telling you make sense?
3. Stop! Don’t send - No reputable person or agency will ever demand payment or your personal information on the spot.

If you receive a text message, or email or phone call from someone claiming to be BigCommerce, especially if you are being asked to provide personal information, or payment (e.g. via Telegram or WhatsApp), follow the Golden Rules above.

Contact BigCommerce for confirmation, through live chat, phone support or email support

On 10 July 2023, the European Commission finalized an adequacy decision for the EU-US Data Privacy Framework ("DPF"), a voluntary framework that normalizes cross-border data transfers under GDPR. The European Commission concluded that the DPF provides an essentially equivalent level of protection under Article 45 GDPR and that recent changes in U.S. law adequately address concerns about government surveillance raised by the Court of Justice of the European Union in its Schrems II ruling.

As an existing EU-US Privacy Shield member, BigCommerce became a member of the DPF immediately upon effect of the European Commission's adequacy decision. Joining the DPF provides BigCommerce with a valid legal basis for US-bound data transfers and reflects BigCommerce's commitment to data transfer compliance.

Consistent with this commitment, BigCommerce intends to continue to adhere to the SCCs as well as the supplemental security measures articulated in the BigCommerce DPA and detailed at security.bigcommerce.com in addition to complying with DPF principles. Among other things, merchants that utilize our regional hosting capabilities will continue to be hosted primarily on our EU- or APAC-based infrastructure.

As with any enterprise-grade platform, it's critical that the BigCommerce e-commerce SaaS platform operate with the highest standards of confidentiality, integrity, privacy, security and business resiliency. The BigCommerce e-commerce SaaS platform has been awarded two important industry designations that attest to the rigor with which BigCommerce protects its customers' information: SOC1 Type II and SOC2 Type II. These Reports were awarded with no exceptions, along with a SOC3 Report. Together with our Information Security Management System (ISO 27001), our Business Continuity Management System (ISO 22301) and our Privacy Information Management System (ISO 27701) we strive to earn and maintain our customers' trust.

Our new SOC Reports are available here: https://security.bigcommerce.com/?itemUid=9fabdf99-e0fd-4592-8898-6bd024317e08&source=click

PCI DSS The PCI Security Standards Council is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide. The Standards Council was established by the major credit card associations (Visa, MasterCard, American Express, Discover, JCB) as a separate organization to define appropriate practices that merchants and service providers should follow to protect cardholder data. It is this council of companies that created the Payment Card Industry (PCI) Data Security Standards (DSS).

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. The scope of BigCommerce’s PCI Attestation of Compliance (AOC) includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.

BigCommerce undergoes at least an annual third-party audit to certify BigCommerce against the PCI DSS. This means that BigCommerce provides an e-commerce application which customers may use to build their storefront which stores, processes, or transmits cardholder data. It is important to note that customers are still responsible for ensuring that their storefront is PCI DSS compliant.

As a PCI DSS Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

Our 2023 PCI AOCs are available here: https://security.bigcommerce.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=title

What is MOVEit? The MOVEit managed file transfer (MFT) software product was initially developed and released in the early 2000s by a company called Standard Networks. This firm was subsequently acquired by network software specialist Ipswitch, which was itself bought by Progress in 2019.

On Wednesday 31 May 2023, Progress announced it had discovered and patched a critical vulnerability in MOVEit impacting all users of the MOVEit transfer product.

Tracked as CVE-2023-34362, the bug is a SQL injection vulnerability that could enable an unauthenticated actor to access the user’s MOVEit Transfer database and – depending on whether or not they are using MySQL, Microsoft SQL Server or Azure SQL as their database engine – infer information about the contents of the database, and execute SQL statements that alter or delete elements of it.

BigCommerce can confirm that we have conducted an internal investigation and we have no evidence of impact. BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us

Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-34362 Reference: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

BigCommerce’s certifications, completed by cybersecurity advisory group Coalfire ISO and evaluated by an independent quality assurance organization, ensures that the company has established a formal set of policies, procedures, processes and systems that manage information risks, privacy risks and business resiliency risks for its digital and physical presence.

• ISO27701, also known as the Privacy Information Management System (PIMS) framework, is the data privacy extension to ISO 27001, which outlines controls and processes for managing data privacy and protecting PII.

• ISO23301 is the recognized international standard for Business Continuity Management Systems (BCMS), published by the international organization for Standardization (ISO).

The ISO 22701 and ISO 22301 certifications are the latest in a series of commitments BigCommerce is making to its information security, privacy, compliance and regulation practices.

BigCommerce is committed to open, transparent communications that put our users first. We have recently made several important privacy-related updates to our Terms of Service(TOS), including: Incorporating our Data Processing Addendum (DPA) into our TOS. Our DPA makes certain commitments to merchants about how we use and protect their customer’s personal data when acting as a processor. Where merchants have already executed a separate data protection agreement with BigCommerce, the executed agreement will remain in force and prevail except where the TOS provides a more stringent level of data protection. Updating our Privacy Policy to account for new privacy laws and clarify how we use, share, and retain personal data, including additional information about our efforts to respond to data subject access requests.

Relatedly, we will soon make several changes to our list of third-party subprocessors. These changes are the result of substantial internal efforts to minimize shopper data as part of our broader commitment to our merchants’ privacy.

We are providing information about the type of shopper data that may be processed by our subprocessors, as well as how merchants can avoid the use of certain subprocessors.

We encourage you to read the full Terms of Service at https://www.bigcommerce.com/terms/ and view our list of third-party subprocessors.

For current customers, additional information about the protections we employ when processing shopper data can be found in this Platform Trust Center, in our Data Protection & Transfer Impact Summary.

If you have any questions, please visit the BigCommerce Help Center or contact us: https://www.bigcommerce.com/contact/

Update: BigCommerce is not affected by this vulnerability.

On Oct 25, 2022 The OpenSSL project announced a forthcoming release of OpenSSL (version 3.0.7) to address a critical security vulnerability. This release should go live on Tuesday, November 1, 2022. Versions prior to 3.0.0 are confirmed as not vulnerable. BigCommerce has checked our own systems and tools for usage of vulnerable versions of OpenSSL. We will be on alert for any impacts when the vulnerability details are disclosed.

Reference:

• https://www.openssl.org/news/vulnerabilities-3.0.html
• https://blog.qualys.com/vulnerabilities-threat-research/2022/10/31/qualys-research-alert-prepare-for-a-critical-vulnerability-in-openssl-3-0

This advisory will be updated as new information is provided.

BigCommerce believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our applications. Good luck, and happy hunting!

Report your findings using the link on the footer of this page.

This Report is found under the 'Other Reports' tile. It is is a summary of BigCommerce’s data protection and transfer practices. This document is not legal advice and does not provide an exhaustive list of the protections maintained by BigCommerce. For the avoidance of doubt, the information provided in this document is BigCommerce confidential and proprietary information and can be shared only: (i) in relation to a legitimate business purpose; and (ii) subject to an appropriate confidentiality expectation or obligation.

BigCommerce operates as a PCI DSS Level 1 Service Provider and Level 1 Merchant, accepting online payments by card-not-present transactions only. Current PCI AOC Issuance Date: 6/13/2022. PCI AOC's are available from the 'Compliance' Tile/ PCI DSS Link

As a PCI DSS Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

GitHub revealed on 4/15/2022 that an attacker is using stolen user tokens (issued to Heroku and Travis-CI OAuth) to download data from private repositories. BigCommerce can confirm that we have conducted an internal investigation and we have no evidence of impact. BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us.

Reference: https://status.heroku.com/incidents/2413 https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/

The PCI Security Standards Council published version 4.0 of the PCI Data Security Standard (PCI DSS) The updated standard and Summary of Changes document are available now on the PCI SSC website. https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

VIEW: “PCI DSS v4.0 At a Glance” an overview document on the changes to PCI DSS v4.0. https://www.pcisecuritystandards.org/documents/PCI-DSS-v4-0-At-A-Glance.pdf

Published on 3/31/2022 BigCommerce became aware of a recently disclosed CVE-2022-22965 - “SpringShell” RCE vulnerability in spring-beans before 5.2.20/5.3.18, BigCommerce can confirm we have conducted an internal investigation and can confirm that we have no evidence that BigCommerce customers or internal employees have been targeted or impacted by this vulnerability.

BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us.

BigCommerce values the security of its services extremely highly and to this end we maintain appropriate industry accepted third party accreditation of our security controls and program.

Published on 3/31/2022 BigCommerce has been made aware of both the recent potential Okta security incident and the recent potential Microsoft security incident and is actively assessing the situation as events unfold.

​We have been in touch with OKTA and have no evidence of impact to BigCommerce. We have researched the Microsoft issue and found no evidence of impact to BigCommerce. We continue to monitor the situations closely and will provide updates where we have updates available to us.

OKTA Statement: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/ Microsoft Statement: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

The US Cybersecurity & Infrastructure Security Agency provides guidance for organizations to prepare for, respond to, and mitigate the impact of cyber attacks during this period of unrest. https://www.cisa.gov/shields-up

SECURITY NOTICE (click to expand): about the recently disclosed Log4j vulnerabilities, references: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance, https://logging.apache.org/log4j/2.x/security.html and: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104

Exploits related to vulnerabilities affecting Apache’s Log4j, known as "Log4Shell" and "log4shell" were publicly disclosed on December 9, 2021.

There have been reports confirming that active scanning and exploitation attempts are occurring in the wild across a variety of Internet connected systems, separate and unrelated to BigCommerce systems.

BigCommerce has been working diligently to assess our internal systems and 3rd party dependencies in order to mitigate what has become a ubiquitous vulnerability for attackers.

What is the impact? From our investigation no impact to our platform has been identified. Merchants and partners are strongly encouraged to assess their own environments for this vulnerability and remediate immediately.

Who is impacted? Versions of Log4j2 from 2.0-beta9 to 2.15.0, excluding 2.12.2 are affected by this vulnerability. An extensive list of responses from impacted organizations has been compiled here for greater context: https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/

What action is required for BigCommerce's customers? No action is required related to your BigCommerce store. However, if you have engaged a third party development partner or leverage 3rd party applications you are strongly encouraged to request confirmation that they are not vulnerable to the Log4j vulnerability.

Note: BigCommerce will not send you any code to upload to your site or require you to install anything on your computer or in your store