BigCommerce Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

Welcome to BigCommerce's Trust Center.

At BigCommerce, security, privacy and resilience are built into the core of our platform. We're committed to providing a secure and reliable e-commerce experience for both you and your customers.

Here's how we stand out:

-Unmatched Payment Security: We don't just rely on payment providers for security. BigCommerce holds Level 1 PCI AOC's as Merchant and as Service Provider, the highest level of certification, demonstrating our commitment to protecting your customers' data and simplifying your compliance journey.

-Proactive Threat Intelligence: By partnering with trusted threat intelligence providers like Recorded Future and engaging with communities like RH-ISAC, InfraGard, and the Cybersecurity and Infrastructure Security Agency (CISA), BigCommerce proactively fortifies its platform against emerging attacks.

-Comprehensive Compliance: Our adherence to ISO 27001:2022, ISO 27017, ISO 27018, ISO 27701, and ISO 22301 demonstrates our unwavering commitment to risk management and data protection.

-Purpose-Built for Enterprise E-commerce: Unlike general-purpose platforms that can hold you back, BigCommerce empowers you with the scalability, control, and advanced security features needed to thrive in the complex world of enterprise e-commerce.

-Empowering Your Business

BigCommerce provides the tools you need to manage your store's security and privacy, giving you control. Focus on growing your business with confidence, knowing your data and your customers' data are protected by a platform built on trust.

Stay Informed

For the latest security updates and documentation, subscribe to this Platform Trust Center.

If you have questions about our Privacy Policy or our Terms of Service or our privacy practices, please contact us at privacy@BigCommerce.com.

If you have questions about our security practices, please contact us at security@bigcommerce.com.

If you have questions for our sales or support team, please see this site for contact details.

Green Roads | Deerfield Beach FL-company-logoGreen Roads | Deerfield Beach FL
Yeti Cycles-company-logoYeti Cycles
i9 Sports-company-logoi9 Sports
Bealls Stores-company-logoBealls Stores
SOLETRADER-company-logoSOLETRADER
Bensons for Beds-company-logoBensons for Beds
Burrow-company-logoBurrow
Coldwater Creek-company-logoColdwater Creek
Diamonds Direct-company-logoDiamonds Direct
francesca's-company-logofrancesca's
Jimmy Brings-company-logoJimmy Brings
King Arthur Baking-company-logoKing Arthur Baking
Harvey Nichols-company-logoHarvey Nichols
Liberty Coin-company-logoLiberty Coin
Ollie-company-logoOllie
One Kings Lane-company-logoOne Kings Lane
Dr. Barbara Sturm-company-logoDr. Barbara Sturm
Andertons Music Co.-company-logoAndertons Music Co.
Ted Baker-company-logoTed Baker
The Fold London-company-logoThe Fold London
United Aqua Group-company-logoUnited Aqua Group
UPLIFT Desk-company-logoUPLIFT Desk
Vodafone Group-company-logoVodafone Group

Documents

Featured Documents

DOCUMENTSCIO & CISO Whitepaper- New!
Knowledge Base (FAQ)
    Does BigCommerce comply with the EU Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 (DSA)?
    What payment integrations does BigCommerce support?
    Are processes, procedures, and technical measures defined, implemented, and evaluated for the transfer and sub-processing of personal data within the service supply chain (according to any applicable laws and regulations)?
    Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure personal data is processed (per applicable laws and regulations and for the purposes declared to the data subject)?
    Are processes, procedures, and technical measures defined, implemented, and evaluated to enable data subjects to request access to, modify, or delete personal data (per applicable laws and regulations)?
View more
BigCommerce Trust Center Updates

Report Illegal Content

Compliance
Copy link

In support of the EU Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC) (the “DSA”), BigCommerce maintains a site that allows submitting applicable reports: https://www.bigcommerce.com/privacy/report-illegal-content/

Published at N/A

📢 Calling all security researchers! 📢

Vulnerabilities
Copy link

We're excited to announce that we've doubled the rewards for our Bug Bounty program on Bugcrowd! 🎉 This means bigger payouts for you when you help us find and fix vulnerabilities. But it's about more than just money – we truly value the skills and dedication of security researchers, and we're committed to recognizing your contributions. A huge thank you to everyone who has already participated in our program – your work has been invaluable! We're eager to see even more researchers join us on this journey. And stay tuned... we'll be launching some exciting new private programs soon! 🚀 Ready to make a real impact? Join our Bug Bounty program today and help us build a more secure future! 💪💻

Join the program:https://bugcrowd.com/engagements/bigcommerce

Published at N/A*

Polyfill.io Malicious Code

General
Copy link

Polyfill.io supply chain attacks

Security researchers have discovered a serious security issue involving the JavaScript library service Polyfill.io. The domains cdn.polyfill.io and polyfill.io, which have historically hosted helpful code for web developers, are now serving modified versions of those scripts to inject malicious code into websites.

Who is affected? Security researchers indicated that over 100,000 websites are estimated to be affected by this attack. While BigCommerce controlled properties remains secure, these scripts may have been added to your website for legitimate purposes by you, a developer working for you, or an app you installed to your website. If your website uses any JavaScript code from the polyfill.io domain, we urge you to review your website's scripting and remove as you deem necessary.

What are the risks? The malicious code injected by polyfill.io can perform various harmful activities, including:

  • Redirecting users to phishing or other malicious websites
  • Stealing sensitive user information
  • Further propagating malware to visitors' devices

What should you do? If your website uses code from the polyfill.io domain, you should take immediate action:

  1. Remove all Polyfill.io code: Remove scripts hosted on polyfill.io and cdn.polyfill.io from your website. If polyfills are needed, find an alternate service to load them from. Impacted scripts can be identified by checking the source URL in Script Manager or retrieving the script’s configuration via the management API. If the script was installed by an app, we recommend either contacting the app’s developer or discontinuing use of the app.

  2. Protect your site with Subresource Integrity: Subresource Integrity (SRI) is a browser feature that can prevent tampered scripts from executing by requiring remote scripts to pass integrity checks. To learn how to configure SRI in Script Manager, consult our documentation here and here.

  3. Scan for malware: Regularly conduct security scans of your website to check for any other potential vulnerabilities or compromises.

  4. Monitor for suspicious activity: Keep a close eye on your website analytics and traffic patterns for any unusual activity.

BigCommerce has taken and continues to take proactive measures to mitigate risks related to Polyfill.io, and we continue to monitor the situation closely. We urge all website owners and developers to take this threat seriously and act promptly to protect their users and their own digital assets.

Where can you get more information? For further details and updates on this security issue, please refer to the following resources:

Published at N/A*

Beware of fraudulent job offers!

General
Copy link

BigCommerce would like to remind the public that legitimate employers will never ask for money during the hiring process. This includes requests for payment for background checks, training materials, or software.

If you receive a job offer that seems suspicious or requires payment, do not provide any personal information or financial details. Instead, report the scam to the appropriate authorities.

Here are some tips for spotting job offer scams:

  • Unsolicited offers: Be cautious of job offers from companies you haven't applied to, especially if they seem too good to be true.
  • Requests for payment: Legitimate employers will not ask you to pay for anything upfront.
  • Poor grammar and spelling: Scam emails often contain numerous errors.
  • High-pressure tactics: Scammers may try to rush you into making a decision.

If you think you have been a victim of a job offer scam, here's what to do:

  • Stop all communication with the scammer.
  • Notify the website or platform where you found the job posting.
  • Monitor your financial accounts for any unauthorized activity.

By staying informed and vigilant, you can protect yourself from falling victim to job offer scams.

Remember: BigCommerce is committed to fair and transparent hiring practices. We will never ask for payment during the hiring process.

For more information on job scams, please visit the Federal Trade Commission's website at https://consumer.ftc.gov/all-scams/job-scams.

Published at N/A*

PCI DSS v4

Compliance
Copy link

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. The scope of BigCommerce’s PCI Attestation of Compliance (AOC) includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.

BigCommerce undergoes at least an annual third-party audit to certify BigCommerce against the PCI DSS. This means that BigCommerce provides an e-commerce application which customers may use to build their storefront which stores, processes, or transmits cardholder data. It is important to note that customers are still responsible for ensuring that their storefront is PCI DSS compliant.

As a PCI DSS v4 Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS v4 Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

Our 2024 PCI AOCs are available here: https://security.bigcommerce.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=click

Published at N/A

If you think you may have discovered a vulnerability, please send us a note.

Report Issue
Powered bySafeBase Logo