Platform Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

Welcome to BigCommerce's Trust Center. This Trust Center provides transparency into our security, privacy and business continuity management systems. Our commitment to data privacy and security is embedded in every part of our business.

BigCommerce's Advantage: Its PCI DSS v4 Level 1 certifications both as Merchant and as Service Provider offer a major advantage over other eCommerce service providers, simplifying compliance for customers and signaling a high level of security for handling payment information. This is a big advantage over eCommerce platforms that rely on partners for PCI DSS compliance. Our direct Level 1 certifications indicate stricter internal infrastructure for data handling,

If you have strict regulatory needs, BigCommerce's out-of-the-box compliance may provide significant peace of mind. As a cloud native, dedicated eCommerce platform, BigCommerce prioritizes security features specifically tailored to eCommerce threats compared to broader-use platforms offered by competitors. Advantages include:

  • Collaborative threat intelligence: BigCommerce proactively engages with industry-specific (RH-ISAC) and broader cybersecurity communities. This demonstrates a commitment to stay informed about the latest threats targeting retail, hospitality, and other consumer-facing businesses.
  • Diverse Sources: Participation in multiple organizations (RH-ISAC, InfraGard, RecordedFuture, Mandiant) ensures we receive a wide spectrum of threat intel from analysts, researchers, and peers facing similar challenges.
  • Actionable Insights: Membership implies active utilization of threat intel to improve our platform's defenses. We proactively use shared threat intel to adapt out security posture.
  • Compliance with ISO 27001:2022, ISO 27017, ISO 27018, ISO 27701, ISO 22301 demonstrates a commitment to continuous risk identification and mitigation which translates to a more secure environment for customers using our platform.

Ensuring your information is private, safe and secure is critical to us. Every day, every store, every request, every visitor, every purchase, we are committed to the security, privacy and business resilience of your e-commerce business/brand.

We provide privacy and security tools for your online store so you're in control. Reduce cost and complexity with an e-commerce platform designed with the secure functionality your business needs. With more built-in features and security certifications than other leading platforms, BigCommerce gives you the power to grow your business securely from day one.

BigCommerce regularly undergoes independent audits of security, privacy and business continuity controls, achieving certifications against global industry standards. We pride ourselves on our security culture and transparency and we encourage you to subscribe to our security website, security.bigcommerce.com to receive regular updates. Whether it's standard SOC or PCI compliance documentation, or learning more about how we hold ourselves to high ISO standards, or our involvement with other leading retailers as members of the RH-ISAC, BigCommerce is dedicated to safeguarding our platform so that you can focus on your customer and business success.

Bealls Stores-company-logoBealls Stores
SOLETRADER-company-logoSOLETRADER
Bensons for Beds-company-logoBensons for Beds
Burrow-company-logoBurrow
Coldwater Creek-company-logoColdwater Creek
Diamonds Direct-company-logoDiamonds Direct
francesca's-company-logofrancesca's
Jimmy Brings-company-logoJimmy Brings
King Arthur Baking-company-logoKing Arthur Baking
Harvey Nichols-company-logoHarvey Nichols
Liberty Coin-company-logoLiberty Coin
Ollie-company-logoOllie
One Kings Lane-company-logoOne Kings Lane
Dr. Barbara Sturm-company-logoDr. Barbara Sturm
Andertons Music Co.-company-logoAndertons Music Co.
Ted Baker-company-logoTed Baker
The Fold London-company-logoThe Fold London
United Aqua Group-company-logoUnited Aqua Group
UPLIFT Desk-company-logoUPLIFT Desk
Vodafone Group-company-logoVodafone Group
Information Security Policy

Knowledge Base (FAQ)

    Are processes, procedures, and technical measures defined, implemented, and evaluated for the transfer and sub-processing of personal data within the service supply chain (according to any applicable laws and regulations)?
    Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure personal data is processed (per applicable laws and regulations and for the purposes declared to the data subject)?
    Are processes, procedures, and technical measures defined, implemented, and evaluated to enable data subjects to request access to, modify, or delete personal data (per applicable laws and regulations)?
    Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope (as permitted by respective laws and regulations)?
    Is a data protection impact assessment (DPIA) conducted when processing personal data and evaluating the origin, nature, particularity, and severity of risks according to any applicable laws, regulations and industry best practices?
View more

Platform Trust Center Updates

Polyfill.io Malicious Code

GeneralCopy link

Polyfill.io supply chain attacks

Security researchers have discovered a serious security issue involving the JavaScript library service Polyfill.io. The domains cdn.polyfill.io and polyfill.io, which have historically hosted helpful code for web developers, are now serving modified versions of those scripts to inject malicious code into websites.

Who is affected? Security researchers indicated that over 100,000 websites are estimated to be affected by this attack. While BigCommerce controlled properties remains secure, these scripts may have been added to your website for legitimate purposes by you, a developer working for you, or an app you installed to your website. If your website uses any JavaScript code from the polyfill.io domain, we urge you to review your website's scripting and remove as you deem necessary.

What are the risks? The malicious code injected by polyfill.io can perform various harmful activities, including:

  • Redirecting users to phishing or other malicious websites
  • Stealing sensitive user information
  • Further propagating malware to visitors' devices

What should you do? If your website uses code from the polyfill.io domain, you should take immediate action:

  1. Remove all Polyfill.io code: Remove scripts hosted on polyfill.io and cdn.polyfill.io from your website. If polyfills are needed, find an alternate service to load them from. Impacted scripts can be identified by checking the source URL in Script Manager or retrieving the script’s configuration via the management API. If the script was installed by an app, we recommend either contacting the app’s developer or discontinuing use of the app.

  2. Protect your site with Subresource Integrity: Subresource Integrity (SRI) is a browser feature that can prevent tampered scripts from executing by requiring remote scripts to pass integrity checks. To learn how to configure SRI in Script Manager, consult our documentation here and here.

  3. Scan for malware: Regularly conduct security scans of your website to check for any other potential vulnerabilities or compromises.

  4. Monitor for suspicious activity: Keep a close eye on your website analytics and traffic patterns for any unusual activity.

BigCommerce has taken and continues to take proactive measures to mitigate risks related to Polyfill.io, and we continue to monitor the situation closely. We urge all website owners and developers to take this threat seriously and act promptly to protect their users and their own digital assets.

Where can you get more information? For further details and updates on this security issue, please refer to the following resources:

Published at N/A*

Beware of fraudulent job offers!

GeneralCopy link

BigCommerce would like to remind the public that legitimate employers will never ask for money during the hiring process. This includes requests for payment for background checks, training materials, or software.

If you receive a job offer that seems suspicious or requires payment, do not provide any personal information or financial details. Instead, report the scam to the appropriate authorities.

Here are some tips for spotting job offer scams:

  • Unsolicited offers: Be cautious of job offers from companies you haven't applied to, especially if they seem too good to be true.
  • Requests for payment: Legitimate employers will not ask you to pay for anything upfront.
  • Poor grammar and spelling: Scam emails often contain numerous errors.
  • High-pressure tactics: Scammers may try to rush you into making a decision.

If you think you have been a victim of a job offer scam, here's what to do:

  • Stop all communication with the scammer.
  • Notify the website or platform where you found the job posting.
  • Monitor your financial accounts for any unauthorized activity.

By staying informed and vigilant, you can protect yourself from falling victim to job offer scams.

Remember: BigCommerce is committed to fair and transparent hiring practices. We will never ask for payment during the hiring process.

For more information on job scams, please visit the Federal Trade Commission's website at https://consumer.ftc.gov/all-scams/job-scams.

Published at N/A*

PCI DSS v4

ComplianceCopy link

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. The scope of BigCommerce’s PCI Attestation of Compliance (AOC) includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.

BigCommerce undergoes at least an annual third-party audit to certify BigCommerce against the PCI DSS. This means that BigCommerce provides an e-commerce application which customers may use to build their storefront which stores, processes, or transmits cardholder data. It is important to note that customers are still responsible for ensuring that their storefront is PCI DSS compliant.

As a PCI DSS v4 Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS v4 Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

Our 2024 PCI AOCs are available here: https://security.bigcommerce.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=click

Published at N/A

Preparing for NIS 2

ComplianceCopy link

Now that NIS 2 has been adopted by the European Council and Parliament, the process shifts to the EU’s 27 member states, which must codify the directive into national law by October 2024

As EU member states focus on the requirements related to NIS 2, there are still outstanding questions about the sector-specific schemes that organizations will use to certify compliance with NIS 2, which could substantially impact how the legislation operates in practice.

BigCommerce believes we are in a good position to comply with the cybersecurity measures NIS 2 focuses on, given our commitment to ensuring that our e-commerce platform and security tools support the highest standard of compliance. We’ve spent the better part of a decade developing mature processes for risk governance, incident reporting, and vulnerability management to support our compliance journey.

BigCommerce will continue to focus on building trust with European governments and enterprises by delivering e-commerce solutions that meet their regulatory, digital sovereignty, sustainability, and economic objectives.

Published at N/A

ISO 27001:2022 (Information Security), ISO 27017 (Cloud Security), & ISO 27018 (Cloud Privacy) Certifications

ComplianceCopy link

We're excited to share some good news! This week we have been officially certified for both ISO 27017 and ISO 27018. These rigorous certifications layered on top of ISO 27001:2022 validate our commitment to excellence in Cloud Security and Cloud Privacy. Achieving these certifications demonstrates our dedication to earning and maintaining your trust.

The certificate scope comprises the BigCommerce Information Security Management System (ISMS) and Privacy Information Management System (PIMS) supporting the operations underlying the BigCommerce e-commerce SaaS offering, consisting of a cloud-hosted online storefront, a cloud hosted checkout process, and a back-end administration portal, as well as Application Programming Interfaces (APIs) to support these processes. These activities are governed by the Statement of Applicability based on ISO/IEC 27001:2022 as extended by the Processor controls described within ISO/IEC 27701:2019 and the additional controls defined within ISO/IEC 27017:2015 and ISO/IEC 27018:2019. The organizational scope includes the Infrastructure Engineering, Software Engineering, Information Technology, Cybersecurity & Governance, Risk and Compliance (GRC), Legal, and People teams affecting the ISMS and PIMS.

Published at N/A

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo