📢 Calling all security researchers! 📢

Platform Trust Center

Start your security review
View & download sensitive information
Ask for information
Search items
ControlK

Welcome to BigCommerce's Trust Center.

At BigCommerce, security, privacy and resilience are built into the core of our platform. We're committed to providing a secure and reliable e-commerce experience for both you and your customers.

Here's how we stand out:

-Unmatched Payment Security: We don't just rely on payment providers for security. BigCommerce holds Level 1 PCI AOC's as Merchant and as Service Provider, the highest level of certification, demonstrating our commitment to protecting your customers' data and simplifying your compliance journey.

-Proactive Threat Intelligence: By partnering with trusted threat intelligence providers like Recorded Future and engaging with communities like RH-ISAC, InfraGard, and the Cybersecurity and Infrastructure Security Agency (CISA), BigCommerce proactively fortifies its platform against emerging attacks.

-Comprehensive Compliance: Our adherence to ISO 27001:2022, ISO 27017, ISO 27018, ISO 27701, and ISO 22301 demonstrates our unwavering commitment to risk management and data protection.

-Purpose-Built for Enterprise E-commerce: Unlike general-purpose platforms that can hold you back, BigCommerce empowers you with the scalability, control, and advanced security features needed to thrive in the complex world of enterprise e-commerce.

-Empowering Your Business

BigCommerce provides the tools you need to manage your store's security and privacy, giving you control. Focus on growing your business with confidence, knowing your data and your customers' data are protected by a platform built on trust.

Stay Informed

For the latest security updates and documentation, subscribe to this Platform Trust Center.

Bealls Stores-company-logoBealls Stores
SOLETRADER-company-logoSOLETRADER
Bensons for Beds-company-logoBensons for Beds
Burrow-company-logoBurrow
Coldwater Creek-company-logoColdwater Creek
Diamonds Direct-company-logoDiamonds Direct
francesca's-company-logofrancesca's
Jimmy Brings-company-logoJimmy Brings
King Arthur Baking-company-logoKing Arthur Baking
Harvey Nichols-company-logoHarvey Nichols
Liberty Coin-company-logoLiberty Coin
Ollie-company-logoOllie
One Kings Lane-company-logoOne Kings Lane
Dr. Barbara Sturm-company-logoDr. Barbara Sturm
Andertons Music Co.-company-logoAndertons Music Co.
Ted Baker-company-logoTed Baker
The Fold London-company-logoThe Fold London
United Aqua Group-company-logoUnited Aqua Group
UPLIFT Desk-company-logoUPLIFT Desk
Vodafone Group-company-logoVodafone Group
Information Security Policy
Other Reports
Knowledge Base (FAQ)
    Are processes, procedures, and technical measures defined, implemented, and evaluated for the transfer and sub-processing of personal data within the service supply chain (according to any applicable laws and regulations)?
    Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure personal data is processed (per applicable laws and regulations and for the purposes declared to the data subject)?
    Are processes, procedures, and technical measures defined, implemented, and evaluated to enable data subjects to request access to, modify, or delete personal data (per applicable laws and regulations)?
    Are processes, procedures, and technical measures defined, implemented, and evaluated to ensure any transfer of personal or sensitive data is protected from unauthorized access and only processed within scope (as permitted by respective laws and regulations)?
    Is a data protection impact assessment (DPIA) conducted when processing personal data and evaluating the origin, nature, particularity, and severity of risks according to any applicable laws, regulations and industry best practices?
View more
Platform Trust Center Updates

📢 Calling all security researchers! 📢

VulnerabilitiesCopy link

We're excited to announce that we've doubled the rewards for our Bug Bounty program on Bugcrowd! 🎉 This means bigger payouts for you when you help us find and fix vulnerabilities. But it's about more than just money – we truly value the skills and dedication of security researchers, and we're committed to recognizing your contributions. A huge thank you to everyone who has already participated in our program – your work has been invaluable! We're eager to see even more researchers join us on this journey. And stay tuned... we'll be launching some exciting new private programs soon! 🚀 Ready to make a real impact? Join our Bug Bounty program today and help us build a more secure future! 💪💻

Join the program:https://bugcrowd.com/engagements/bigcommerce

Published at N/A*

Polyfill.io Malicious Code

GeneralCopy link

Polyfill.io supply chain attacks

Security researchers have discovered a serious security issue involving the JavaScript library service Polyfill.io. The domains cdn.polyfill.io and polyfill.io, which have historically hosted helpful code for web developers, are now serving modified versions of those scripts to inject malicious code into websites.

Who is affected? Security researchers indicated that over 100,000 websites are estimated to be affected by this attack. While BigCommerce controlled properties remains secure, these scripts may have been added to your website for legitimate purposes by you, a developer working for you, or an app you installed to your website. If your website uses any JavaScript code from the polyfill.io domain, we urge you to review your website's scripting and remove as you deem necessary.

What are the risks? The malicious code injected by polyfill.io can perform various harmful activities, including:

  • Redirecting users to phishing or other malicious websites
  • Stealing sensitive user information
  • Further propagating malware to visitors' devices

What should you do? If your website uses code from the polyfill.io domain, you should take immediate action:

  1. Remove all Polyfill.io code: Remove scripts hosted on polyfill.io and cdn.polyfill.io from your website. If polyfills are needed, find an alternate service to load them from. Impacted scripts can be identified by checking the source URL in Script Manager or retrieving the script’s configuration via the management API. If the script was installed by an app, we recommend either contacting the app’s developer or discontinuing use of the app.

  2. Protect your site with Subresource Integrity: Subresource Integrity (SRI) is a browser feature that can prevent tampered scripts from executing by requiring remote scripts to pass integrity checks. To learn how to configure SRI in Script Manager, consult our documentation here and here.

  3. Scan for malware: Regularly conduct security scans of your website to check for any other potential vulnerabilities or compromises.

  4. Monitor for suspicious activity: Keep a close eye on your website analytics and traffic patterns for any unusual activity.

BigCommerce has taken and continues to take proactive measures to mitigate risks related to Polyfill.io, and we continue to monitor the situation closely. We urge all website owners and developers to take this threat seriously and act promptly to protect their users and their own digital assets.

Where can you get more information? For further details and updates on this security issue, please refer to the following resources:

Published at N/A*

Beware of fraudulent job offers!

GeneralCopy link

BigCommerce would like to remind the public that legitimate employers will never ask for money during the hiring process. This includes requests for payment for background checks, training materials, or software.

If you receive a job offer that seems suspicious or requires payment, do not provide any personal information or financial details. Instead, report the scam to the appropriate authorities.

Here are some tips for spotting job offer scams:

  • Unsolicited offers: Be cautious of job offers from companies you haven't applied to, especially if they seem too good to be true.
  • Requests for payment: Legitimate employers will not ask you to pay for anything upfront.
  • Poor grammar and spelling: Scam emails often contain numerous errors.
  • High-pressure tactics: Scammers may try to rush you into making a decision.

If you think you have been a victim of a job offer scam, here's what to do:

  • Stop all communication with the scammer.
  • Notify the website or platform where you found the job posting.
  • Monitor your financial accounts for any unauthorized activity.

By staying informed and vigilant, you can protect yourself from falling victim to job offer scams.

Remember: BigCommerce is committed to fair and transparent hiring practices. We will never ask for payment during the hiring process.

For more information on job scams, please visit the Federal Trade Commission's website at https://consumer.ftc.gov/all-scams/job-scams.

Published at N/A*

PCI DSS v4

ComplianceCopy link

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards formed in 2004 by Visa, MasterCard, Discover Financial Services, JCB International and American Express. The scope of BigCommerce’s PCI Attestation of Compliance (AOC) includes all systems, networks, and applications that process, store, or transmit cardholder data, and also systems that are used to secure and log access to the systems in scope.

BigCommerce undergoes at least an annual third-party audit to certify BigCommerce against the PCI DSS. This means that BigCommerce provides an e-commerce application which customers may use to build their storefront which stores, processes, or transmits cardholder data. It is important to note that customers are still responsible for ensuring that their storefront is PCI DSS compliant.

As a PCI DSS v4 Level 1 Merchant, BigCommerce accepts payments for subscriptions via the BMP billing application (manage.bigcommerce.com) which is used by all customers.

As a PCI DSS v4 Level 1 Service Provider, BigCommerce facilitates the tools for merchants to accept credit card payments at their individual eShops. Merchants provide BigCommerce with the name of the payment gateway provider of their choice and their individual Merchant IDs; BigCommerce configures the merchant eShops with a shopping cart that enables them to accept credit/debit card payments.

Our 2024 PCI AOCs are available here: https://security.bigcommerce.com/?itemUid=53e1508c-665e-45a8-9ce0-03fdf9ae1efb&source=click

Published at N/A

Preparing for NIS 2

ComplianceCopy link

Now that NIS 2 has been adopted by the European Council and Parliament, the process shifts to the EU’s 27 member states, which must codify the directive into national law by October 2024

As EU member states focus on the requirements related to NIS 2, there are still outstanding questions about the sector-specific schemes that organizations will use to certify compliance with NIS 2, which could substantially impact how the legislation operates in practice.

BigCommerce believes we are in a good position to comply with the cybersecurity measures NIS 2 focuses on, given our commitment to ensuring that our e-commerce platform and security tools support the highest standard of compliance. We’ve spent the better part of a decade developing mature processes for risk governance, incident reporting, and vulnerability management to support our compliance journey.

BigCommerce will continue to focus on building trust with European governments and enterprises by delivering e-commerce solutions that meet their regulatory, digital sovereignty, sustainability, and economic objectives.

Published at N/A

If you think you may have discovered a vulnerability, please send us a note.

Powered bySafeBase Logo