BigCommerce Trust Center

Important Update: BigCommerce Publishes an updated PCI DSS v4.0.1 Shared Responsibility Matrix

Dear Valued Customer, At BigCommerce, we are committed to maintaining the highest standards of security and compliance, particularly concerning the protection of cardholder data. As part of this commitment, we are pleased to announce an updated PCI DSS v4.0.1 Shared Responsibility Matrix, with updates to customer-facing requirements (6.4.3 & 11.6.1).

This matrix provides a clear and detailed breakdown of the responsibilities shared between BigCommerce and our customers in adhering to the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1. Understanding these shared responsibilities is crucial for ensuring the ongoing security of your payment processing environment.

What is the PCI DSS Shared Responsibility Matrix?

The matrix outlines:

• Specific PCI DSS requirements: It lists relevant requirements from the PCI DSS v4.0.1 standard, with v3.2.1 requirement numbers for reference.
• Responsibilities: It clearly defines which party (you, the customer, or BigCommerce) is responsible for meeting each requirement.
• Clarification: It provides clarity on the scope of our services and your obligations related to PCI DSS compliance.
• Collaboration: It fosters a collaborative approach to maintaining a secure payment ecosystem.

Why is this important?

• Enhanced Security: Understanding your responsibilities helps strengthen your overall security posture.
• Compliance Clarity: It provides a clear roadmap for achieving and maintaining PCI DSS compliance.
• Improved Collaboration: It promotes a transparent and collaborative relationship between BigCommerce and our customers.
• Updated for v4.0.1: It reflects the newest changes and requirements of the current PCI DSS standard.
• Updated with guidance about the impact of integrations and customizations to the responsibility matrix.

Where can you find the matrix?

You can access the PCI DSS v4.0.1 Shared Responsibility Matrix on our Trust Center:.

We encourage you to review this document carefully and familiarize yourself with your responsibilities. If you have any questions or require further clarification, please do not hesitate to contact our support team.

We appreciate your continued partnership and commitment to maintaining a secure payment environment.

Sincerely,

The BigCommerce Compliance Team

In support of the EU Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC) (the “DSA”), BigCommerce maintains a site that allows submitting applicable reports: https://www.bigcommerce.com/privacy/report-illegal-content/

We're excited to announce that we've doubled the rewards for our Bug Bounty program on Bugcrowd! 🎉 This means bigger payouts for you when you help us find and fix vulnerabilities. But it's about more than just money – we truly value the skills and dedication of security researchers, and we're committed to recognizing your contributions. A huge thank you to everyone who has already participated in our program – your work has been invaluable! We're eager to see even more researchers join us on this journey. And stay tuned... we'll be launching some exciting new private programs soon! 🚀 Ready to make a real impact? Join our Bug Bounty program today and help us build a more secure future! 💪💻

Join the program:https://bugcrowd.com/engagements/bigcommerce

Polyfill.io supply chain attacks

Security researchers have discovered a serious security issue involving the JavaScript library service Polyfill.io. The domains cdn.polyfill.io and polyfill.io, which have historically hosted helpful code for web developers, are now serving modified versions of those scripts to inject malicious code into websites.

Who is affected? Security researchers indicated that over 100,000 websites are estimated to be affected by this attack. While BigCommerce controlled properties remains secure, these scripts may have been added to your website for legitimate purposes by you, a developer working for you, or an app you installed to your website. If your website uses any JavaScript code from the polyfill.io domain, we urge you to review your website's scripting and remove as you deem necessary.

What are the risks? The malicious code injected by polyfill.io can perform various harmful activities, including:

• Redirecting users to phishing or other malicious websites
• Stealing sensitive user information
• Further propagating malware to visitors' devices

What should you do? If your website uses code from the polyfill.io domain, you should take immediate action:

1. Remove all Polyfill.io code: Remove scripts hosted on polyfill.io and cdn.polyfill.io from your website. If polyfills are needed, find an alternate service to load them from. Impacted scripts can be identified by checking the source URL in Script Manager or retrieving the script’s configuration via the management API. If the script was installed by an app, we recommend either contacting the app’s developer or discontinuing use of the app.

2. Protect your site with Subresource Integrity: Subresource Integrity (SRI) is a browser feature that can prevent tampered scripts from executing by requiring remote scripts to pass integrity checks. To learn how to configure SRI in Script Manager, consult our documentation here and here.

3. Scan for malware: Regularly conduct security scans of your website to check for any other potential vulnerabilities or compromises.

4. Monitor for suspicious activity: Keep a close eye on your website analytics and traffic patterns for any unusual activity.

BigCommerce has taken and continues to take proactive measures to mitigate risks related to Polyfill.io, and we continue to monitor the situation closely. We urge all website owners and developers to take this threat seriously and act promptly to protect their users and their own digital assets.

Where can you get more information? For further details and updates on this security issue, please refer to the following resources:

• Sansec write-up: https://sansec.io/research/polyfill-supply-chain-attack

• SecurityWeek: https://www.securityweek.com/polyfill-supply-chain-attack-hits-over-100k-websites/

• DEV Community: https://dev.to/snyk/polyfill-supply-chain-attack-embeds-malware-in-javascript-cdn-assets-55d6

BigCommerce would like to remind the public that legitimate employers will never ask for money during the hiring process. This includes requests for payment for background checks, training materials, or software.

If you receive a job offer that seems suspicious or requires payment, do not provide any personal information or financial details. Instead, report the scam to the appropriate authorities.

Here are some tips for spotting job offer scams:

• Unsolicited offers: Be cautious of job offers from companies you haven't applied to, especially if they seem too good to be true.
• Requests for payment: Legitimate employers will not ask you to pay for anything upfront.
• Poor grammar and spelling: Scam emails often contain numerous errors.
• High-pressure tactics: Scammers may try to rush you into making a decision.

If you think you have been a victim of a job offer scam, here's what to do:

• Stop all communication with the scammer.
• Notify the website or platform where you found the job posting.
• Monitor your financial accounts for any unauthorized activity.

By staying informed and vigilant, you can protect yourself from falling victim to job offer scams.

Remember: BigCommerce is committed to fair and transparent hiring practices. We will never ask for payment during the hiring process.

For more information on job scams, please visit the Federal Trade Commission's website at https://consumer.ftc.gov/all-scams/job-scams.