The Essential Guide to Store Security on Shopify

Data breaches are on the rise for all sorts of businesses, including online retailers. Numerous companies have reported security breaches in the past decade. These incidents have caused stolen customer data, even including department store chain Macy’s.

When shoppers perceive privacy threats, they become wary about sharing payment information online. This is why data breaches often result in lost customer trust and revenue for brands.

For example, Macy’s 2019 data breach found that Macys.com was linked to a website that stole customer payment data on its “Checkout” and “My Wallet” pages. The company paid $192, 000 to settle the data breach lawsuit.

More than 1,000,000 merchants and millions of customers entrust Shopify with their private information. Shopify is PCI DSS compliant, and has invested significant time and money to certify their solutions as secure.

Read on to learn what PCI compliance means on Shopify. We’ll cover how Shopify’s security compares with Magento, and why hosting a secure store attracts Gen Z shoppers. We’ll also break down 6 ways increased security can boost your brand trust on Shopify.

What is PCI Compliance?

The Payment Card Industry Data Security Standards (PCI CSS) is used to increase controls for payments to reduce fraudulent activity. Today, it’s a security standard for all organizations that handle credit card payments and debit information.

Reaching PCI compliance will allow you to sell online securely and accept payments from a wide range of vendors. These include Mastercard, Discover, or American Express.

Is Shopify PCI Compliant?

Yes. All stores that are hosted on Shopify are PCI compliant by default. This means merchants can keep their customers’ payment information safe and secure. Shopify’s compliance covers 6 PCI standard categories which apply to every store powered by the platform:

1. Maintaining a secure network

2. Protecting cardholder data

3. Maintaining a vulnerability management program

4. Implementing strong access control measures

5. Regular monitoring and testing of network security

6. Maintaining an information security policy

By taking these steps, Shopify shows that they have invested time and money to ensure PCI compliance for merchants and customers. Shopify works hard to keep your shopping cart and ecommerce hosting secure. Steps taken include on-site assessments to validate compliance to continuous risk management. Level 1 PCI certification protects your store, shopping cart, and web hosting.

Is PCI Compliance Mandatory?

According to federal law in the U.S., PCI DSS is not required. Although some state-level laws refer to PCI DSS compliance.

For example, Nevada incorporated PCI compliance into state law, requiring any merchants doing business in the state to comply. Similar laws have been followed in other states such as Washington. Major credit card companies may also ask that you enforce PCI DSS compliance to use them in a payment gateway.

Not practicing PCI compliance where it is enforced can result in monetary fines. This can range from hundreds to thousands of dollars. In the case of a security breach, you‘ll be held liable for such damages.

This is also why it’s important to assess your own store on a case by case basis. Check if the credit card companies or banks that you use enforce requirements that are not covered by PCI legislation. 

Shopify Provides SSL Certificates

After your custom domain has been added properly, Shopify provides SSL certificates to your store. SSL certificates encrypt your store’s content and publish it securely using HTTPS instead of HTTP.

For example, if your store URL is http://www.website.com, it will be updated to https://www.website.com after Shopify issues SSL certificates. Customers who use the original URL will be redirected to your new encrypted online store.

Having SSL certificates on your store provides an extra layer of security and builds customer trust. This is shown by displaying the SSL padlock beside your online store’s URL:

Example of the SSL padlock next to Diff Agency’s URL:

If your online store includes content such as images, videos or web fonts that are hosted on a platform other than Shopify, you should verify it on your Domains setting page. You can do this in the Shopify Admin to ensure that it doesn’t invalidate your SSL certificate.

Shopify’s Security Response

To ensure the safety of merchants and customers, Shopify continuously invests effort into adjusting to the latest threats. In their Shopify Security Response, Shopify asks that merchants report any potential security threats through their HackerOne page. With direct user feedback, issues can be reported and security issues can be fixed in a timely manner.

Shopify Security vs. Magento

Adobe said it will end support for the 12-year old Magento 1.x release on June 30, 2020. This includes Magento Commerce and Magento Open Source. Retailers who continue to run their online stores on Magento 1.x past this date will have increased responsibility. They will have to maintain security updates and ensure PCI DSS compliance.

In a separate security bulletin, Adobe reported a critical level of vulnerability could be exposed. This includes a risk of sensitive information disclosure as Magento 1 support comes to a halt.

These unsettling announcements are leaving tens of thousands of merchants with vulnerable websites. With timely pressure, Magento 1 online retailers are facing a difficult decision. Replatform to Magento 2, or migrate to a new platform altogether?

Increased security provides a major incentive for Magento customers who are considering switching to Shopify. Shopify is a fully hosted solution,unlike Magento’s open-source solution that needs to be installed and run on a server. This means that merchants on Shopify don’t ever need to worry about server side issues or security upgrades.

Automatic security upgrades and PCI DSS compliance allows merchants to refocus their time and energy on more important goals to grow their business. Such goals include content creation, data-driven marketing, social influence, and customer engagement.

Security and Gen Z

A study by Google suggests that increased ecommerce security can help protect younger generations who are overly confident about keeping their online accounts safe. In a survey by F5, nearly 60% of Gen Z-ers (ages 8 to 22) said they did not receive education about online safety.

These studies suggest that increased education is needed to help Gen Z-ers form safer digital habits at a younger age. Developers and merchants need to build online stores that are safe for everyone to use, no matter what age they are.

Another area where Gen-Zers fall short is password protection according to U.S data from a Harris Poll. In this survey of 3,000 participants, 78% of Gen Z-ers admitted they use the same password for multiple online accounts.

At the same time, Gen Z was the highest user generation of 2-step verification (76%), overcoming older users in this security feature. Gen Z’s effort to use 2-step verification shows that this younger generation is making an effort to boost their security.

The Harris Poll also demonstrates that the generation lacks confidence in how to better protect online accounts. More than 50% reused the same password for multiple accounts. Additionally, only 24% use a password manager. This is despite many people telling them they need a better way to track passwords.

With this in mind, it is not surprising that Gen Z could benefit by using internet safety best practices. This gap in education also provides an opportunity for merchants to help younger generations stay safe when shopping. By providing an easy to use and safe ecommerce experience, you can show Gen Z that their security is your priority. This will also help build trust and increase customer loyalty.

6 Ways Increased Security Can Boost Customer Trust on Shopify 

Secure Payment Options

Shopify offers customers the highest standards of server compliance for credit card processing, which is hard to beat. You can read about Shopify’s PCI compliance here. This is one of the most important benefits of Shopify vs. other self hosted solutions.

If you want to host your own server using Magento, for example, you will need to pay hundreds to thousands to reach the same level of compliance. Otherwise you might get hit with a PCI non-compliance fee of $20-$30 a month.

Shopify is PCI compliant from the start. This means you don’t need to do anything or spend any money to ensure your credit card processing is secure. Customers will be able to make payments as they need to without having to even think about credit card data security.

99.98% Uptime

Many merchants worry about their stores always being available. For example, in just a single hour of downtime on Prime Day, Amazon may have lost up to $100 million in sales.

Shopify is a SaaS hosted solution. This means that your store is hosted on Shopify servers and does not require additional installation. In doing so, Shopify provides merchants with a 99.98% uptime guarantee. This helps retailers avoid losses due to their store being unavailable during high peak times.

For example, Diff’s client Gymshark migrated from Magento to Shopify Plus following a Black Friday crash. The downtime left the online store in the dark for eight hours. This failure cost Gymshark an estimated $143,000 in lost sales. It also decreased the trust of customers who expected a great user experience.

Screenshots by Shopify

Gymshark is one of the fastest growing global fitness and apparel brands in the world. By migrating to Shopify Plus, they were able to execute a multi-channel, global growth strategy that earned them:

• 9.3x ROI on a Black Friday social media campaign
• 197% overall increase in holiday revenue
• $128 million in FY 2018 revenue

Shopify sets the standard high for brands like Gymshark who wish to provide standout customer experiences across the globe. A strong uptime encourages shoppers to trust your ecommerce store, instead of looking elsewhere in response to a disrupted shopping experience.

Increased Credibility

As a Shopify store owner, you can display a security badge on your online store to establish trust with your customers. You can link this badge to a description of how Shopify meets Payment Card Industry (PCI) standards.

Security badge: Shopify

Add the security badge code to your online store through the Shopify admin portal. To contrast with your theme’s color theme, you can choose between a light or dark colored security badge. Since the badges are an .svg format, you can also resize them without sacrificing image quality.  

Customer Data

Shopify provides guidelines for the developer community to meet legal obligations. This information ensures that over 1,000,000 merchants, and millions of customers, can trust Shopify with their private information. By taking responsibility seriously, Shopify provides instructions for developers to ensure that user data is kept both secure and private.

The guiding rules for using Shopify are designed in a way that makes it transparent and fair for everyone to use. The platform encourages partners to share the rewards of building on the platform. This also enforces limits and rules that keep things fair for everyone involved.

Shopify also provides API license and terms of use documentation. This is a set of rules on what is allowed and not allowed when using the world leading ecommerce platform.

Admin Security

Shopify’s back end is secure, offering a staff permission system. You can set accounts for each person who can access your Shopify admin. This way, you can help protect your online store from security breaches by enforcing security steps to authenticate and block access.

You can also allow staff to access your Shopify admin, without giving them access to sensitive information. To keep you on track, your staff can stay on top of recent changes, orders and customer interactions on your timeline.

Fraud Protection

Fraud protection helps protect Shopify businesses against fraudulent chargebacks. This makes it easier for merchants to quickly and confidently process orders. After activating Fraud Protection, online orders are categorized as either “protected” or “not protected”.

The merchant pays a fee for each protected order, and the order is guaranteed to be payed by Shopify. This means if there is a chargeback, Shopify will reimburse the amount and handle the chargeback process on your behalf. This feature is currently only available in the United States. 

Shopify is a Safe and Secure Platform for Online Shopping

Shopify takes PCI compliance seriously, and helps your customers feel protected with every transaction. It provides SSL certificates to improve security and trust in your store.  A 99.8% uptime is promised by Shopify, which also influences online store reliability. This means that customers can shop on your online store anytime, from anywhere around the globe.

Automatic security updates on Shopify’s fully hosted platform allow over 1,000,000 merchants to refocus their energy on growing their brands. By giving customers a secure shopping experience, stores powered by Shopify can increase brand trust, attract new customers, and boost sales.

At Diff Agency, we build custom solutions against fraudulent shopping to protect you. These solutions help secure your website and maintain your checkout conversion rate. If this sounds like something you need, just ask our team to learn more about this service.

Read our latest:

Boost Customer Engagement with SMS Marketing

Get Your Products Listed on Google Shopping for Free Using Shopify

Can Retail Discounts Increase Sales and Customer Loyalty?

Written by Debra Weinryb, Content Strategist at Diff Agency