BigCommerce Trust Center
Welcome to BigCommerce's Trust Center.
At BigCommerce, security, privacy and resilience are built into the core of our platform. We're committed to providing a secure and reliable e-commerce experience for both you and your customers.
Here's how we stand out:
-Unmatched Payment Security: We don't just rely on payment providers for security. BigCommerce holds Level 1 PCI AOC's as Merchant and as Service Provider, the highest level of certification, demonstrating our commitment to protecting your customers' data and simplifying your compliance journey.
-Proactive Threat Intelligence: By partnering with trusted threat intelligence providers like Recorded Future and engaging with communities like RH-ISAC, InfraGard, and the Cybersecurity and Infrastructure Security Agency (CISA), BigCommerce proactively fortifies its platform against emerging attacks.
-Comprehensive Compliance: BigCommerce cybersecurity teams are organized around NIST Functions (Governance, Identify, Protect, Detect, Respond & Recover). Our adherence to NIST, CIS, and ISO 27001:2022, ISO 27017, ISO 27018, ISO 27701, and ISO 22301 demonstrates our unwavering commitment to risk management and data protection.
-Purpose-Built for Enterprise E-commerce: Unlike general-purpose platforms that can hold you back, BigCommerce empowers you with the scalability, control, and advanced security features needed to thrive in the complex world of enterprise e-commerce.
-Empowering Your Business
BigCommerce provides the tools you need to manage your store's security and privacy, giving you control. Focus on growing your business with confidence, knowing your data and your customers' data are protected by a platform built on trust.
Stay Informed
For the latest security updates and documentation, subscribe to this Platform Trust Center.
If you have questions about our Privacy Policy or our Terms of Service or our privacy practices, please contact us at privacy@BigCommerce.com.
If you have questions about our security practices, please contact us at security@bigcommerce.com.
If you have questions for our sales or support team, please see this site for contact details.
Green Roads | Deerfield Beach FL
Yeti Cycles
i9 Sports
Bealls Stores
SOLETRADER
Bensons for Beds
Coldwater Creek
Diamonds Direct
King Arthur Baking
Harvey Nichols
Liberty Coin
Ollie
One Kings Lane
Dr. Barbara Sturm
Andertons Music Co.
The Fold London
United Aqua Group
UPLIFT Desk
Vodafone GroupImportant Update: BigCommerce Publishes an updated PCI DSS v4.0.1 Shared Responsibility Matrix
Dear Valued Customer, At BigCommerce, we are committed to maintaining the highest standards of security and compliance, particularly concerning the protection of cardholder data. As part of this commitment, we are pleased to announce an updated PCI DSS v4.0.1 Shared Responsibility Matrix, with updates to customer-facing requirements (6.4.3 & 11.6.1).
This matrix provides a clear and detailed breakdown of the responsibilities shared between BigCommerce and our customers in adhering to the Payment Card Industry Data Security Standard (PCI DSS) v4.0.1. Understanding these shared responsibilities is crucial for ensuring the ongoing security of your payment processing environment.
What is the PCI DSS Shared Responsibility Matrix?
The matrix outlines:
- Specific PCI DSS requirements: It lists relevant requirements from the PCI DSS v4.0.1 standard, with v3.2.1 requirement numbers for reference.
- Responsibilities: It clearly defines which party (you, the customer, or BigCommerce) is responsible for meeting each requirement.
- Clarification: It provides clarity on the scope of our services and your obligations related to PCI DSS compliance.
- Collaboration: It fosters a collaborative approach to maintaining a secure payment ecosystem.
Why is this important?
- Enhanced Security: Understanding your responsibilities helps strengthen your overall security posture.
- Compliance Clarity: It provides a clear roadmap for achieving and maintaining PCI DSS compliance.
- Improved Collaboration: It promotes a transparent and collaborative relationship between BigCommerce and our customers.
- Updated for v4.0.1: It reflects the newest changes and requirements of the current PCI DSS standard.
- Updated with guidance about the impact of integrations and customizations to the responsibility matrix.
Where can you find the matrix?
You can access the PCI DSS v4.0.1 Shared Responsibility Matrix on our Trust Center:.
We encourage you to review this document carefully and familiarize yourself with your responsibilities. If you have any questions or require further clarification, please do not hesitate to contact our support team.
We appreciate your continued partnership and commitment to maintaining a secure payment environment.
Sincerely,
The BigCommerce Compliance Team
In support of the EU Digital Services Act (Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC) (the “DSA”), BigCommerce maintains a site that allows submitting applicable reports: https://www.bigcommerce.com/privacy/report-illegal-content/
We're excited to announce that we've doubled the rewards for our Bug Bounty program on Bugcrowd! 🎉 This means bigger payouts for you when you help us find and fix vulnerabilities. But it's about more than just money – we truly value the skills and dedication of security researchers, and we're committed to recognizing your contributions. A huge thank you to everyone who has already participated in our program – your work has been invaluable! We're eager to see even more researchers join us on this journey. And stay tuned... we'll be launching some exciting new private programs soon! 🚀 Ready to make a real impact? Join our Bug Bounty program today and help us build a more secure future! 💪💻
Join the program:https://bugcrowd.com/engagements/bigcommerce
Polyfill.io supply chain attacks
Security researchers have discovered a serious security issue involving the JavaScript library service Polyfill.io. The domains cdn.polyfill.io and polyfill.io, which have historically hosted helpful code for web developers, are now serving modified versions of those scripts to inject malicious code into websites.
Who is affected? Security researchers indicated that over 100,000 websites are estimated to be affected by this attack. While BigCommerce controlled properties remains secure, these scripts may have been added to your website for legitimate purposes by you, a developer working for you, or an app you installed to your website. If your website uses any JavaScript code from the polyfill.io domain, we urge you to review your website's scripting and remove as you deem necessary.
What are the risks? The malicious code injected by polyfill.io can perform various harmful activities, including:
- Redirecting users to phishing or other malicious websites
- Stealing sensitive user information
- Further propagating malware to visitors' devices
What should you do? If your website uses code from the polyfill.io domain, you should take immediate action:
-
Remove all Polyfill.io code: Remove scripts hosted on polyfill.io and cdn.polyfill.io from your website. If polyfills are needed, find an alternate service to load them from. Impacted scripts can be identified by checking the source URL in Script Manager or retrieving the script’s configuration via the management API. If the script was installed by an app, we recommend either contacting the app’s developer or discontinuing use of the app.
-
Protect your site with Subresource Integrity: Subresource Integrity (SRI) is a browser feature that can prevent tampered scripts from executing by requiring remote scripts to pass integrity checks. To learn how to configure SRI in Script Manager, consult our documentation here and here.
-
Scan for malware: Regularly conduct security scans of your website to check for any other potential vulnerabilities or compromises.
-
Monitor for suspicious activity: Keep a close eye on your website analytics and traffic patterns for any unusual activity.
BigCommerce has taken and continues to take proactive measures to mitigate risks related to Polyfill.io, and we continue to monitor the situation closely. We urge all website owners and developers to take this threat seriously and act promptly to protect their users and their own digital assets.
Where can you get more information? For further details and updates on this security issue, please refer to the following resources:
BigCommerce would like to remind the public that legitimate employers will never ask for money during the hiring process. This includes requests for payment for background checks, training materials, or software.
If you receive a job offer that seems suspicious or requires payment, do not provide any personal information or financial details. Instead, report the scam to the appropriate authorities.
Here are some tips for spotting job offer scams:
- Unsolicited offers: Be cautious of job offers from companies you haven't applied to, especially if they seem too good to be true.
- Requests for payment: Legitimate employers will not ask you to pay for anything upfront.
- Poor grammar and spelling: Scam emails often contain numerous errors.
- High-pressure tactics: Scammers may try to rush you into making a decision.
If you think you have been a victim of a job offer scam, here's what to do:
- Stop all communication with the scammer.
- Notify the website or platform where you found the job posting.
- Monitor your financial accounts for any unauthorized activity.
By staying informed and vigilant, you can protect yourself from falling victim to job offer scams.
Remember: BigCommerce is committed to fair and transparent hiring practices. We will never ask for payment during the hiring process.
For more information on job scams, please visit the Federal Trade Commission's website at https://consumer.ftc.gov/all-scams/job-scams.
If you think you may have discovered a vulnerability, please send us a note.