Platform Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

Welcome to BigCommerce's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. This Trust Center provides transparency into our security, privacy and business continuity management systems.

BigCommerce's Advantage: Its PCI DSS Level 1 certifications both as Merchant and as Service Provider offer a major advantage over other eCommerce service providers, simplifying compliance for customers and signaling a high level of security for handling payment information. This is a big advantage over eCommerce platforms that rely on partners for PCI DSS compliance. Our direct Level 1 certifications indicate stricter internal infrastructure for data handling,

If you have strict regulatory needs, BigCommerce's out-of-the-box compliance may provide significant peace of mind. As a cloud native, dedicated eCommerce platform, BigCommerce prioritizes security features specifically tailored to eCommerce threats compared to broader-use platforms offered by competitors. Advantages include:

  • Collaborative threat intelligence: BigCommerce proactively engages with industry-specific (RH-ISAC) and broader cybersecurity communities. This demonstrates a commitment to stay informed about the latest threats targeting retail, hospitality, and other consumer-facing businesses.
  • Diverse Sources: Participation in multiple organizations (RH-ISAC, InfraGard, RecordedFuture, Mandiant) ensures we receive a wide spectrum of threat intel from analysts, researchers, and peers facing similar challenges.
  • Actionable Insights: Membership implies active utilization of threat intel to improve our platform's defenses. We proactively use shared threat intel to adapt out security posture.
  • Compliance with ISO 27001:2022, ISO 27017, ISO 27018, ISO 27701, ISO 22301 demonstrates a commitment to continuous risk identification and mitigation which translates to a more secure environment for customers using our platform.

Ensuring your information is private, safe and secure is critical to us. Every day, every store, every request, every visitor, every purchase, we are committed to the security, privacy and business resilience of your e-commerce business/brand.

We provide privacy and security tools for your online store so you're in control. Reduce cost and complexity with an e-commerce platform designed with the secure functionality your business needs. With more built-in features and security certifications than other leading platforms, BigCommerce gives you the power to grow your business securely from day one.

BigCommerce regularly undergoes independent audits of security, privacy and business continuity controls, achieving certifications against global industry standards. We pride ourselves on our security culture and transparency and we encourage you to subscribe to our security website, security.bigcommerce.com to receive regular updates. Whether it's standard SOC or PCI compliance documentation, or learning more about how we hold ourselves to high ISO standards, or our involvement with other leading retailers as members of the RH-ISAC, BigCommerce is dedicated to safeguarding our platform so that you can focus on your customer and business success.

Start your security review
View & download sensitive information
Ask for information
Bensons for Beds-company-logoBensons for Beds
Burrow-company-logoBurrow
Coldwater Creek-company-logoColdwater Creek
Diamonds Direct-company-logoDiamonds Direct
francesca's-company-logofrancesca's
Jimmy Brings-company-logoJimmy Brings
King Arthur Baking-company-logoKing Arthur Baking
La Perla-company-logoLa Perla
Liberty Coin-company-logoLiberty Coin
Ollie-company-logoOllie
One Kings Lane-company-logoOne Kings Lane
Dr. Barbara Sturm-company-logoDr. Barbara Sturm
Black Diamond-company-logoBlack Diamond
Ted Baker-company-logoTed Baker
The Fold London-company-logoThe Fold London
United Aqua Group-company-logoUnited Aqua Group
UPLIFT Desk-company-logoUPLIFT Desk
Vodafone Group-company-logoVodafone Group
DPO Statement Re: Irish DPC Meta Decision

Platform Trust Center Updates

PCI DSS v4

ComplianceCopy link

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. The scope of BigCommerce’s PCI Attestation of Compliance (AOC) includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.

BigCommerce undergoes at least an annual third-party audit to certify BigCommerce against the PCI DSS. This means that BigCommerce provides an e-commerce application which customers may use to build their storefront which stores, processes, or transmits cardholder data. It is important to note that customers are still responsible for ensuring that their storefront is PCI DSS compliant.

As a PCI DSS v4 Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS v4 Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

Our 2024 PCI AOCs are available here: https://security.bigcommerce.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=click

Published at N/A

Preparing for NIS 2

ComplianceCopy link

Now that NIS 2 has been adopted by the European Council and Parliament, the process shifts to the EU’s 27 member states, which must codify the directive into national law by October 2024

As EU member states focus on the requirements related to NIS 2, there are still outstanding questions about the sector-specific schemes that organizations will use to certify compliance with NIS 2, which could substantially impact how the legislation operates in practice.

BigCommerce believes we are in a good position to comply with the cybersecurity measures NIS 2 focuses on, given our commitment to ensuring that our e-commerce platform and security tools support the highest standard of compliance. We’ve spent the better part of a decade developing mature processes for risk governance, incident reporting, and vulnerability management to support our compliance journey.

BigCommerce will continue to focus on building trust with European governments and enterprises by delivering e-commerce solutions that meet their regulatory, digital sovereignty, sustainability, and economic objectives.

Published at N/A

ISO 27001:2022 (Information Security), ISO 27017 (Cloud Security), & ISO 27018 (Cloud Privacy) Certifications

ComplianceCopy link

We're excited to share some good news! This week we have been officially certified for both ISO 27017 and ISO 27018. These rigorous certifications layered on top of ISO 27001:2022 validate our commitment to excellence in Cloud Security and Cloud Privacy. Achieving these certifications demonstrates our dedication to earning and maintaining your trust.

The certificate scope comprises the BigCommerce Information Security Management System (ISMS) and Privacy Information Management System (PIMS) supporting the operations underlying the BigCommerce e-commerce SaaS offering, consisting of a cloud-hosted online storefront, a cloud hosted checkout process, and a back-end administration portal, as well as Application Programming Interfaces (APIs) to support these processes. These activities are governed by the Statement of Applicability based on ISO/IEC 27001:2022 as extended by the Processor controls described within ISO/IEC 27701:2019 and the additional controls defined within ISO/IEC 27017:2015 and ISO/IEC 27018:2019. The organizational scope includes the Infrastructure Engineering, Software Engineering, Information Technology, Cybersecurity & Governance, Risk and Compliance (GRC), Legal, and People teams affecting the ISMS and PIMS.

Published at N/A

ISO 22301:2019 Business Continuity Certification

ComplianceCopy link

The International Organization for Standardization (ISO) is an independent, non-governmental international organization with an international membership of 163 national standards bodies.

ISO 22301:2019 is an international standard for business continuity management that is designed to help organizations implement, maintain and improve a management system to prevent, prepare for, respond and recover from disruptions when they arise.

BigCommerce's e-commerce SaaS platform is certified as ISO 22301:2019 compliant after undergoing an audit by an independent third party auditor. Compliance with this standard for BigCommerce demonstrates that BigCommerce products and services meet the requirements as defined by ISO 22301:2019

The BigCommerce ISO 22301:2019 certificate is publicly available.

Published at N/A

BigCommerce has successfully completed its SOC 1 Type 2 examination

ComplianceCopy link

Continuing BigCommerce’s commitment to prioritize security and transparency, we have successfully completed our SOC 1 Type 2 examination! 🚀 This achievement underscores our unwavering commitment to maintaining the highest standards of reliability in our operations.

A SOC1 Type 2 report evaluates the fairness of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.

This certification provides assurance to customers and their auditors that BigCommerce takes compliance seriously, particularly in areas that impact financial reporting. It enhances trust and confidence in BigCommerce’s operations and services, as it demonstrates a commitment to maintaining high standards of control and accountability.

Thank you for your ongoing support and trust in BigCommerce! 🌟

Published at N/A

Avoid and Report BigCommerce Scams

GeneralCopy link

By focusing on providing the best user experience possible, BigCommerce has earned a trusted brand name. Unfortunately, unscrupulous people sometimes try to use the BigCommerce brand to scam and defraud others. Here are ways that you can avoid and report them.

GOLDEN RULES:

  1. Slow it down - Scams are often designed to create a sense of urgency. Take time to ask questions and think it through.
  2. Spot check - Do your research to double check the details you are getting. Does what they’re telling you make sense?
  3. Stop! Don’t send - No reputable person or agency will ever demand payment or your personal information on the spot.

If you receive a text message, or email or phone call from someone claiming to be BigCommerce, especially if you are being asked to provide personal information, or payment (e.g. via Telegram or WhatsApp), follow the Golden Rules above.

Contact BigCommerce for confirmation, through live chat, phone support or email support

Published at N/A*

BigCommerce joins EU-US Data Privacy Framework

ComplianceCopy link

On 10 July 2023, the European Commission finalized an adequacy decision for the EU-US Data Privacy Framework ("DPF"), a voluntary framework that normalizes cross-border data transfers under GDPR. The European Commission concluded that the DPF provides an essentially equivalent level of protection under Article 45 GDPR and that recent changes in U.S. law adequately address concerns about government surveillance raised by the Court of Justice of the European Union in its Schrems II ruling.

As an existing EU-US Privacy Shield member, BigCommerce became a member of the DPF immediately upon effect of the European Commission's adequacy decision. Joining the DPF provides BigCommerce with a valid legal basis for US-bound data transfers and reflects BigCommerce's commitment to data transfer compliance.

Consistent with this commitment, BigCommerce intends to continue to adhere to the SCCs as well as the supplemental security measures articulated in the BigCommerce DPA and detailed at security.bigcommerce.com in addition to complying with DPF principles. Among other things, merchants that utilize our regional hosting capabilities will continue to be hosted primarily on our EU- or APAC-based infrastructure.

Published at N/A*

SOC1 Type II & SOC2 Type II Reports Renewed with No Exceptions and SOC3 Awarded

ComplianceCopy link

As with any enterprise-grade platform, it's critical that the BigCommerce e-commerce SaaS platform operate with the highest standards of confidentiality, integrity, privacy, security and business resiliency. The BigCommerce e-commerce SaaS platform has been awarded two important industry designations that attest to the rigor with which BigCommerce protects its customers' information: SOC1 Type II and SOC2 Type II. These Reports were awarded with no exceptions, along with a SOC3 Report. Together with our Information Security Management System (ISO 27001), our Business Continuity Management System (ISO 22301) and our Privacy Information Management System (ISO 27701) we strive to earn and maintain our customers' trust.

Our new SOC Reports are available here: https://security.bigcommerce.com/?itemUid=9fabdf99-e0fd-4592-8898-6bd024317e08&source=click

Published at N/A*

BigCommerce and PCI DSS

ComplianceCopy link

PCI DSS The PCI Security Standards Council is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide. The Standards Council was established by the major credit card associations (Visa, MasterCard, American Express, Discover, JCB) as a separate organization to define appropriate practices that merchants and service providers should follow to protect cardholder data. It is this council of companies that created the Payment Card Industry (PCI) Data Security Standards (DSS).

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. The scope of BigCommerce’s PCI Attestation of Compliance (AOC) includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.

BigCommerce undergoes at least an annual third-party audit to certify BigCommerce against the PCI DSS. This means that BigCommerce provides an e-commerce application which customers may use to build their storefront which stores, processes, or transmits cardholder data. It is important to note that customers are still responsible for ensuring that their storefront is PCI DSS compliant.

As a PCI DSS Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

Our 2023 PCI AOCs are available here: https://security.bigcommerce.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=title

Published at N/A

Zero-day MOVEit Transfer Vulnerability exploited in the wild, heavily targeting North America

VulnerabilitiesCopy link

What is MOVEit? The MOVEit managed file transfer (MFT) software product was initially developed and released in the early 2000s by a company called Standard Networks. This firm was subsequently acquired by network software specialist Ipswitch, which was itself bought by Progress in 2019.

On Wednesday 31 May 2023, Progress announced it had discovered and patched a critical vulnerability in MOVEit impacting all users of the MOVEit transfer product.

Tracked as CVE-2023-34362, the bug is a SQL injection vulnerability that could enable an unauthenticated actor to access the user’s MOVEit Transfer database and – depending on whether or not they are using MySQL, Microsoft SQL Server or Azure SQL as their database engine – infer information about the contents of the database, and execute SQL statements that alter or delete elements of it.

BigCommerce can confirm that we have conducted an internal investigation and we have no evidence of impact. BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us

Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-34362 Reference: https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

Published at N/A*

BigCommerce achieves full certification to the ISO 27701:2019 and ISO 22301:2019 standards:

ComplianceCopy link

BigCommerce’s certifications, completed by cybersecurity advisory group Coalfire ISO and evaluated by an independent quality assurance organization, ensures that the company has established a formal set of policies, procedures, processes and systems that manage information risks, privacy risks and business resiliency risks for its digital and physical presence.

  • ISO27701, also known as the Privacy Information Management System (PIMS) framework, is the data privacy extension to ISO 27001, which outlines controls and processes for managing data privacy and protecting PII.

  • ISO23301 is the recognized international standard for Business Continuity Management Systems (BCMS), published by the international organization for Standardization (ISO).

The ISO 22701 and ISO 22301 certifications are the latest in a series of commitments BigCommerce is making to its information security, privacy, compliance and regulation practices.

Published at N/A

BigCommerce Terms of Service and Subprocessor Update

SubprocessorsCopy link

BigCommerce is committed to open, transparent communications that put our users first. We have recently made several important privacy-related updates to our Terms of Service(TOS), including: Incorporating our Data Processing Addendum (DPA) into our TOS. Our DPA makes certain commitments to merchants about how we use and protect their customer’s personal data when acting as a processor. Where merchants have already executed a separate data protection agreement with BigCommerce, the executed agreement will remain in force and prevail except where the TOS provides a more stringent level of data protection. Updating our Privacy Policy to account for new privacy laws and clarify how we use, share, and retain personal data, including additional information about our efforts to respond to data subject access requests.

Relatedly, we will soon make several changes to our list of third-party subprocessors. These changes are the result of substantial internal efforts to minimize shopper data as part of our broader commitment to our merchants’ privacy.

We are providing information about the type of shopper data that may be processed by our subprocessors, as well as how merchants can avoid the use of certain subprocessors.

We encourage you to read the full Terms of Service at https://www.bigcommerce.com/terms/ and view our list of third-party subprocessors.

For current customers, additional information about the protections we employ when processing shopper data can be found in this Platform Trust Center, in our Data Protection & Transfer Impact Summary.

If you have any questions, please visit the BigCommerce Help Center or contact us: https://www.bigcommerce.com/contact/

Published at N/A*

OpenSSL 3 Vulnerability

IncidentsCopy link

Update: BigCommerce is not affected by this vulnerability.

Published at N/A*

On Oct 25, 2022 The OpenSSL project announced a forthcoming release of OpenSSL (version 3.0.7) to address a critical security vulnerability. This release should go live on Tuesday, November 1, 2022. Versions prior to 3.0.0 are confirmed as not vulnerable. BigCommerce has checked our own systems and tools for usage of vulnerable versions of OpenSSL. We will be on alert for any impacts when the vulnerability details are disclosed.

Reference:

This advisory will be updated as new information is provided.

Published at N/A*

BugCrowd - BigCommerce's Bug Bounty Program

GeneralCopy link

BigCommerce believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher to help us identify vulnerabilities in our applications. Good luck, and happy hunting!

Report your findings using the link on the footer of this page.

Published at N/A

BigCommerce Data Protection & Transfers Impact Summary

GeneralCopy link

This Report is found under the 'Other Reports' tile. It is is a summary of BigCommerce’s data protection and transfer practices. This document is not legal advice and does not provide an exhaustive list of the protections maintained by BigCommerce. For the avoidance of doubt, the information provided in this document is BigCommerce confidential and proprietary information and can be shared only: (i) in relation to a legitimate business purpose; and (ii) subject to an appropriate confidentiality expectation or obligation.

Published at N/A

BigCommerce 2022 PCI AOC's are available now

ComplianceCopy link

BigCommerce operates as a PCI DSS Level 1 Service Provider and Level 1 Merchant, accepting online payments by card-not-present transactions only. Current PCI AOC Issuance Date: 6/13/2022. PCI AOC's are available from the 'Compliance' Tile/ PCI DSS Link

As a PCI DSS Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

Published at N/A

GitHub Security Alert

IncidentsCopy link

GitHub revealed on 4/15/2022 that an attacker is using stolen user tokens (issued to Heroku and Travis-CI OAuth) to download data from private repositories. BigCommerce can confirm that we have conducted an internal investigation and we have no evidence of impact. BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us.

Reference: https://status.heroku.com/incidents/2413 https://github.blog/2022-04-15-security-alert-stolen-oauth-user-tokens/

Published at N/A

PCI DSS 4.0 is Released

GeneralCopy link

The PCI Security Standards Council published version 4.0 of the PCI Data Security Standard (PCI DSS) The updated standard and Summary of Changes document are available now on the PCI SSC website. https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

VIEW: “PCI DSS v4.0 At a Glance” an overview document on the changes to PCI DSS v4.0. https://www.pcisecuritystandards.org/documents/PCI-DSS-v4-0-At-A-Glance.pdf

Published at N/A

Recently disclosed SpringShell RCE vulnerability

IncidentsCopy link

Published on 3/31/2022 BigCommerce became aware of a recently disclosed CVE-2022-22965 - “SpringShell” RCE vulnerability in spring-beans before 5.2.20/5.3.18, BigCommerce can confirm we have conducted an internal investigation and can confirm that we have no evidence that BigCommerce customers or internal employees have been targeted or impacted by this vulnerability.

BigCommerce will continue to monitor the situation closely and will provide updates where we have them available to us.

BigCommerce values the security of its services extremely highly and to this end we maintain appropriate industry accepted third party accreditation of our security controls and program.

Published at N/A

Update on the recently disclosed OKTA and Microsoft security Incidents

IncidentsCopy link

Published on 3/31/2022 BigCommerce has been made aware of both the recent potential Okta security incident and the recent potential Microsoft security incident and is actively assessing the situation as events unfold.

​We have been in touch with OKTA and have no evidence of impact to BigCommerce. We have researched the Microsoft issue and found no evidence of impact to BigCommerce. We continue to monitor the situations closely and will provide updates where we have updates available to us.

OKTA Statement: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/ Microsoft Statement: https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/

Published at N/A

US CISA Shields Up Notice

GeneralCopy link

The US Cybersecurity & Infrastructure Security Agency provides guidance for organizations to prepare for, respond to, and mitigate the impact of cyber attacks during this period of unrest. https://www.cisa.gov/shields-up

Published at N/A

SECURITY NOTICE: about the recently disclosed Log4j vulnerabilities

IncidentsCopy link

SECURITY NOTICE (click to expand): about the recently disclosed Log4j vulnerabilities, references: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance, https://logging.apache.org/log4j/2.x/security.html and: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 https://nvd.nist.gov/vuln/detail/CVE-2021-45046 https://nvd.nist.gov/vuln/detail/CVE-2021-45105 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104

Exploits related to vulnerabilities affecting Apache’s Log4j, known as "Log4Shell" and "log4shell" were publicly disclosed on December 9, 2021.

There have been reports confirming that active scanning and exploitation attempts are occurring in the wild across a variety of Internet connected systems, separate and unrelated to BigCommerce systems.

BigCommerce has been working diligently to assess our internal systems and 3rd party dependencies in order to mitigate what has become a ubiquitous vulnerability for attackers.

What is the impact? From our investigation no impact to our platform has been identified. Merchants and partners are strongly encouraged to assess their own environments for this vulnerability and remediate immediately.

Who is impacted? Versions of Log4j2 from 2.0-beta9 to 2.15.0, excluding 2.12.2 are affected by this vulnerability. An extensive list of responses from impacted organizations has been compiled here for greater context: https://www.bleepingcomputer.com/news/security/log4j-list-of-vulnerable-products-and-vendor-advisories/

What action is required for BigCommerce's customers? No action is required related to your BigCommerce store. However, if you have engaged a third party development partner or leverage 3rd party applications you are strongly encouraged to request confirmation that they are not vulnerable to the Log4j vulnerability.

Note: BigCommerce will not send you any code to upload to your site or require you to install anything on your computer or in your store

Published at N/A

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo