Trends come and go in ecommerce. Customer expectations expand as quickly as online stores strive to meet them. However, one thing remains constant: customers want and deserve to feel their data is safe when shopping online.
As the Head of Cybersecurity here at BigCommerce, I’m proud to say that security and compliance are two things that we’re constantly investing in.
There is a global trend right now involving governments stepping in to provide more regulation and oversight to ensure customer data privacy.
In this post, I want to explain what is changing in ecommerce security and how BigCommerce is preparing for it, as well as clear up any misconceptions that are out there around these important issues.
There have been a number of high-profile security breaches in ecommerce in recent years that have put the need for vigilant security practices into sharp focus.
As a result, customers have been increasingly calling for better security practices, which has led to the enactment of more security and compliance standards.
We see this with both the GDPR (General Data Protection Regulations) in the European Union and the CCPA (California Consumer Privacy Act) here in the U.S. I anticipate sooner rather than later, we will see other U.S. states adopting their own consumer protection standards.
Before we get into what these data protections mean both for consumers and for merchants, it’s important to define the difference between security and compliance.
Essentially: compliance is text and security is technology.
Compliance guidelines ensure that an organization has systems of internal control that adequately measure and manage the risks that it faces. Security refers to all the measures that are taken to protect and defend the information and technology assets of an enterprise. Cybersecurity is the process of protecting information by preventing, detecting, and responding to attacks.
At BigCommerce, we have both a cybersecurity and a compliance team.
If you’re in the ecommerce space, you’re probably familiar with a number of different acronyms from ISO to PCI and GDPR to CCPA.
Before diving into the overall climate that has produced a call for more regulation, let’s quickly cover what some of these mean.
If you’re a merchant accepting credit cards, the PCI Security Standards Council has some regulations that apply to you. The Payment Card Industry Data Security Standards (PCI DSS) is a standard created to increase controls around cardholder data and decrease credit card fraud. There are fines for not being compliant.
Everyone will put up their hand and say that they’re PCI compliant, but that’s really just a base level of what companies should be doing.
The International Organization for Standardization (ISO) publishes standards across different industries internationally. Businesses can become certified in these standards to demonstrate a commitment to compliance with them.
In February, BigCommerce received the ISO/IEC 27001:2013 certification, which applies to managing information security. Achieving this certification requires a rigorous process and demonstrates our commitment to security and protections that go far beyond PCI compliance alone.
The General Data Protection Regulation (GDPR) is a regulation covering data and privacy protection. It applies to all citizens in the European Union and European Economic Area, and gives them greater ownership and control of their data and more rights around data collection.
It’s worth pointing out that, at a high level, GDPR applies to businesses operating outside of the EU and EEA who do business with EU citizens.
The California Consumer Privacy Act (CCPA) is similar to GDPR in that it provides consumers with more ownership, control, and security of their data. However, as the name would suggest, it applies to citizens of California and to whoever may sell to them and collect their data.
In my opinion, the GDPR and CCPA are just the tip of the iceberg, and we will soon be seeing either a national standard of regulations around data and privacy protection or more states jumping on board. Before CCPA, Massachusetts had the toughest privacy regulations in place; now other states are making moves in that direction: 15 other states.
People are increasingly concerned about what companies are doing with their data. It’s understandable given how valuable personal information has become.
The reason GDPR and CCPA were enacted is because companies were not being as mindful as they needed to be about security and protecting customer information.
Security was on their list, but there weren’t always any teeth behind it. Protecting customers and their data wasn’t the priority it needed to be, which is why governing bodies are now stepping in and creating steep penalties for non-compliance.
BigCommerce has tried to stay well ahead of the industry in terms of prioritizing security. We want to make it a focus of the platform for our merchants, so they don’t have to take the brunt of this lift on themselves.
Because we’ve been forward-thinking with our security plans, when CCPA and its predecessors come along, we’re not having to make substantive changes. We’re already providing our merchants the primary tools they need to be compliant. That said, we never stop improving our capabilities.
Our philosophy is to consider these standards as not something to strive to obtain, but rather as a low bar that we would like to far surpass.
As mentioned above, we have both a cybersecurity and a compliance team, and these teams are dedicated to making sure that we are in line not only with the existing regulations, but any new ones that come along.
If you’re reading this, there’s a good chance you’re an ecommerce merchant with a vested interest in both maintaining your site securely and workplace privacy and maintaining customer data privacy, as well as staying in compliance with the latest regulations.
You may be wondering: what’s the best way to keep up with all of this?
My team has created a separate resource on all the tips and tricks for strong site security best practices. However, in terms of my best advice for setting yourself up for effective security and compliance, it’s this: choose the right platform.
SaaS (Software-as-a-Service) platforms, like BigCommerce, take on the heavy lifting of maintaining compliance for our merchants. With on-premise solutions, these requirements fall on the merchant to maintain themselves.
Our obligations to our merchants include data security, privacy, and compliance concerns across our entire platform and through all internal systems like Marketo and Salesforce.
In addition to preventing data compromises, we also comply with privacy regulations such as an individual’s right to be forgotten.
Overall, we make sure all shopper data is secure from malicious attacks and ensure merchants can serve their customers in a secure and compliant manner.
Our merchants’ data is their data. We consider their ownership of their data very seriously, differentiating ourselves in that regard even within the SaaS space. We put clear boundaries around what we will do with our merchants’ data.
I, for one, am excited for the direction both BigCommerce and the broader ecommerce industry are moving in terms of greater security and data privacy.
Consumers are understandably demanding greater control of their data and more assurances regarding their privacy. Businesses are rising to meet their demands, in some cases in response to some nudging by governmental entities.
At BigCommerce, we remain committed to moving into the future ready to meet and exceed security and compliance standards and create tools that can help our merchants make that same commitment to their customers.
This material does not constitute legal, tax, professional or financial advice and BigCommerce disclaims any liability with respect to this material. Please consult your attorney or professional advisor on specific legal, professional or financial matters.
Susan Phillips is the Head of Cybersecurity at BigCommerce. With two decades of industry experience, from development, security testing, and building high performing teams, she brings a wealth of cybersecurity experience to BC. In her leadership role; she is responsible for enterprise security service delivery including our secure platform development framework, customer protection, third party risk management and security operations.