Website Security Checklist

Pull the staff list from Shopify (Settings → Users) or BigCommerce (Account Settings → Users). Confirm each user's role matches their current job — over-permissioned freelancers and former agency staff are the most common finding here. Document any account whose owner you cannot positively identify.

Verify two-step authentication is required for every storefront admin, the 3PL portal (ShipBob, ShipMonk, ShipStation), the carrier accounts (UPS, FedEx), and your domain registrar. Domain-registrar takeover is how DNS-redirect attacks against Shopify stores typically start.

Check user lists in Klaviyo, Gorgias or Zendesk, Meta Business Manager, Google Ads, and Amazon Seller Central. These tools hold customer PII and ad-spend authority; a stale agency login here is a real exposure.

Rotate Shopify private app / custom app tokens, Klaviyo API keys, and any keys held by departed contractors. Update integrations (Recharge, Yotpo, Postscript) to the new keys before revoking the old ones to avoid sync interruptions.

Run an SSL Labs scan against the apex domain, www, and checkout subdomain. Anything below TLS 1.2 fails PCI DSS. On Shopify the platform handles this, but custom subdomains (account., shop., blog. on a separate CMS) often lag.

List every tool that touches customer data — Klaviyo, Yotpo, Gorgias, Recharge, analytics pixels, attribution platforms — and confirm each is named in the published privacy policy. New tools added mid-quarter without a policy update are a CCPA/GDPR exposure.

Confirm OneTrust, Cookiebot, Termly, or your CMP of choice is firing on EU and California traffic, and that Global Privacy Control signals are honored. The CPRA-required 'Do Not Sell or Share' link must be present and functional in the footer.

CSV exports of customer lists for ad uploads or migrations are the most common PII leak path. Confirm exports are stored encrypted (Drive with restricted sharing, not plain S3) and deleted after the use case completes.

Run an automated scan (Detectify, Sucuri SiteCheck, OWASP ZAP) against the storefront, account pages, and any custom checkout extensions. Pay attention to UGC fields — review forms, gift messages — where stored XSS most often hides.

Every installed Shopify or BigCommerce app retains data access until uninstalled. Remove any app not used in the last 90 days. For each remaining app, confirm the developer is still publishing updates — abandoned apps are a frequent supply-chain risk.

Review Cloudflare or Sucuri WAF rule sets and bot-management thresholds. Card-testing attacks against the checkout endpoint are the most common reason a small store sees a sudden spike in declined transactions and Stripe fraud alerts — rate-limit /checkout aggressively.

Place a test order on iOS Safari and Android Chrome end-to-end. Theme updates and app installs commonly break Apple Pay / Google Pay or shipping calculation on mobile without affecting desktop — and most stores see 60-70% of traffic on mobile.

Open one ticket per finding in your dev tracker with severity, affected URL, and reproduction steps. Tag any finding that exposes PII or payment data as P0 with a 7-day SLA.

If you use Shopify Payments, Stripe Checkout, or PayPal hosted fields exclusively, you should be SAQ A. Custom checkout iframes typically fall under SAQ A-EP. Adding any client-side script that touches the card field — including some analytics tags — silently expands scope. Confirm the SAQ on file with your acquirer matches actual implementation.

Pull the last 90 days of chargebacks and approval rates. The card-network monitoring threshold is roughly 0.9% chargeback ratio (Visa VDMP); approaching it triggers fines and program enrollment. Tune fraud rules toward declining repeat offenders without choking legitimate first-time international orders.

Confirm someone owns dispute response within the issuer's compelling-evidence window (usually 7-10 days). Stale disputes auto-lose. Check that tracking, AVS match, and customer communication are pulled into the response packet.

Brief the finance lead with 90-day chargeback ratio, top dispute reasons, and the SKU or traffic source concentration. If the ratio is climbing toward 0.9%, agree on a fraud-rule tightening plan before the next monthly cycle.

Shopify retains its own platform backups but does not restore individual stores on request — confirm a Rewind, BackupMaster, or equivalent app is running daily and includes products, themes, customer records, and orders. For a custom site on AWS / Vercel, confirm RDS / database snapshots are running and retained 30+ days.

Pick a non-production theme slot or staging store and restore yesterday's backup end-to-end. Untested backups are not backups. Time the restore so you can give a realistic RTO when leadership asks during an incident.

Walk the runbook for the three most likely incidents: storefront defacement, card-testing attack on checkout, and customer data leak via a compromised app. Confirm the on-call rotation, decision authority for taking the store offline, and the Shopify or BigCommerce support escalation contact.

Update phone numbers and emails for outside counsel, the payment processor's incident line, and the cyber-insurance broker. State breach-notification deadlines start at 30-60 days from discovery; GDPR is 72 hours. The first hour of an incident is the wrong time to look up phone numbers.

Summarize findings, owners, and remediation deadlines. Attach the scan report and SAQ. The COO or founder signs off so the audit trail is defensible if a processor or insurer asks during renewal.