As the digital age has come, so has digital crime. Merchants have become increasingly wary of how safe their eCommerce platform is. No merchant wants to risk customer information by using a platform that is insecure. That’s why Fyresite has looked at how secure Shopify actually is, so merchants can feel safe using our favorite eCommerce platform.
Shopify Fraud Protect

What are the Main Security Concerns of eCommerce Platforms?

No matter what eCommerce platform we talk about, there are some common security concerns. We’ve broken down some of the universal security concerns.


Every eCommerce merchant is familiar with bots. While there are good bots, like ones that help Shopify merchants automate processes, there are bad bots too. Bad bots harm eCommerce businesses by doing things like scanning stores for pricing and inventory information. This can be used by hackers to change pricing and overall harm your sales and bottom line.


Malware can be a big concern for eCommerce businesses. Malware is software that is specifically designed to cause malicious harm, such as leaking private information or gaining unauthorized access to the system.

Financial Fraud

One of the classic types of fraud, financial fraud has only become a bigger threat since the advent of the digital age. There are multiple types of financial fraud that can harm a business, including chargebacks, credit card fraud, and refund abuse.

Chargebacks are perhaps the most prevalent type of financial fraud. Chargebacks, also known as ‘friendly fraud’, occur when the owner of the credit card reports the charge as fraud. This can be done intentionally by the card holder, or done by the cardholder when someone has stolen their card to make the purchase. Regardless of if the chargeback was done purposefully or accidentally, the bank will charge your business a chargeback fee.

Refund abuse is when a customer repeatedly sends back broken, damaged, or stolen products. This doesn’t mean that all refunds are a type of financial fraud, but any products that are stolen and then returned for a refund are a red flag.

Credit Card fraud is when someone uses a stolen credit card and makes a small purchase, typically $5-10, to verify that there is money on the card. Once they determine there is, they will make a large purchase. This typically results in the person whose credit card was stolen issuing a chargeback, causing you to be out of product and pay the chargeback fee.

Distributed Denial of Service Attack

Distributed Denial of Service Attacks, or DDOS attacks, disrupt eCommerce sites and hurt their overall sales. DDOS attacks overwhelm shops with requests until the site crashes.

Brute Force Attacks

Brute force attacks are exactly how they sound. Brute force attacks target the store’s admin panel in attempts to figure out important passwords with brute force, testing out every possible combination for what the password is.

Does Shopify Have These Security Concerns?

While Shopify works hard to keep their systems secure, the biggest safety concern is the human element. While Shopify’s in-house solutions are protected against threats like malware, if merchants have decided to download or upload things to their store from outside sources, they run the risk of downloading malware. Some of the biggest threats come from what people and people who do not optimize their Shopify store for security are the most vulnerable.

What is Shopify Doing to Stay Secure?

There are a few different ways that Shopify works to keep all stores secure.

Shopify Protect

Shopify Protect is a free app that Shopify offers to help protect against financial fraud using Shop Pay. When a customer buys through Shop Pay, it protects eligible products from fraud and chargebacks. That means that you will be reimbursed for any chargebacks on eligible orders. This only applies to physical items, not digital, must be in the United States, must be fulfilled within a week and must be shipped with a shipping tracking number from a supported carrier. To learn more about Shopify Protect and what frauds it protects against, read our blog here.

HackerOne for Shopify

HackerOne is the place to go for merchants who have experienced a security concern. Using a bug bounty program allows for those who find an applicable security risk with Shopify to be rewarded.

Remaining PCI Compliant

Shopify is PCI Compliant. What does this mean for security? It means that Shopify is certified to be compliant with the Payment Card Industry Data Security Standard. This means that Shopify follows the six PCI standard categories for every store on their platform. They maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. To learn more about how Shopify remains PCI Compliant, click here.

What Shop Owners Can Do to Stay Secure

As mentioned before, the human element makes it impossible for any one program to 100% protect a shop from any security concern. Luckily, there are steps that merchants can take to reduce their risk as well.

Declining high-risk orders is one of the recommended ways to prevent financial fraud. Shopify Fraud Analysis will label an order as high-risk if there is a higher chance that the order will result in fraud. Declining the order will help reduce the risk of fraud.

Requiring a CVV is another easy way to reduce the likelihood of financial fraud. Requiring the CVV means that even if a scammer has a card number they will not be able to complete the transaction.

Another way to protect sites? Refuse to ship to PO boxes. While there is nothing inherently wrong with asking a store to ship to a PO box, many scammers will use PO boxes to complete the order without drawing attention to the fact that the shipping and delivery addresses are different.

Making sure the shop uses TLS (Transport Layer Security) will also keep the site secure. TLS uses https rather than http. Shopify automatically creates https for shipping pages, but not for every page in the store. If there is a padlock next to the address bar, the site is using a TLS.

Having a strong password that is frequently changed will also help prevent against security risks such as brute force attacks. Fyresite recommends installing a program like 1Password to make sure that passwords are secure and strong.

Shopify offers bot protection that merchants with access to Shopify Admin can turn on to stop bots from doing things such as auto-completing checkout.

Want Shopify?

Are you interested in experiencing how secure Shopify is yourself? Use Fyresite’s affiliate link to try Shopify today.