Website Security for Ecommerce in 2026: Checklist for Shop Owners

Why ecommerce is a bigger target than a regular site

A brochure site leaking an email list is a bad week. A store leaking live card data is a five-figure event before you count lost sales. The Verizon 2024 Data Breach Investigations Report puts retail and ecommerce squarely in the crosshairs of financially motivated actors, with web application attacks the dominant pattern.

Three patterns repeat on small-to-mid stores:

1. Skimmers injected into checkout pages. A compromised plugin or a hijacked supply-chain JS file writes a tiny script that reads the card fields and posts them to an attacker server. The store still works. You find out when the chargeback wave arrives.
2. Credential stuffing against customer accounts. Attackers take a leaked password list from another breach, spray it at your login, and use working accounts to place fraudulent orders with stored cards.
3. Admin takeover. A weak admin password, no 2FA, plus an outdated plugin with a known RCE. The attacker creates a rogue admin, ships gift cards or digital goods, then pivots to your database.

If your stack handles those three well, you are ahead of most stores your size.

PCI-DSS in plain English

PCI-DSS is the rulebook the card brands set for anyone touching card data. Version 4.0.1 from the PCI Security Standards Council is the current revision in 2026.

You do not "get PCI certified" the way you get an SSL cert. You fit into one of a few self-assessment levels, and the level depends on whether card data ever hits your server.

Scenario	SAQ type	Controls	Plain meaning
Customer enters card on a hosted field from Stripe/Adyen (most Shopify, WooCommerce with Stripe)	SAQ A	~22	You never see the card. Much less paperwork.
Card fields sit on your page but POST to the processor	SAQ A-EP	~191	Your code is in the card flow. Big scope.
You store card numbers anywhere	SAQ D	300+	Do not do this. Ever.

The single biggest security decision a shop owner makes is picking a setup that puts you in SAQ A. That means:

• Stripe Elements, Stripe Checkout, or Stripe Payment Element with the card iframe hosted by Stripe
• Adyen Drop-in or Hosted Payment Pages
• Braintree hosted fields
• PayPal Commerce checkout
• Any default Shopify or BigCommerce flow (they handle it for you)

Avoid any setup where the raw card number touches a form on your domain and your code moves it. The dev hours you "save" are not worth a 300-page assessment plus the liability.

Payment provider security, compared

A quick comparison of the five options most ecommerce clients pick in 2026:

Provider	PCI scope for you	3-D Secure 2	Built-in fraud tools	Fees (US, card-present)
Stripe	SAQ A	Yes, auto-triggered by Radar	Radar (free tier + paid)	2.9% + $0.30
Adyen	SAQ A	Yes, with RevenueProtect	RevenueProtect	Interchange + 0.13%
Braintree	SAQ A	Yes	Kount basic	2.59% + $0.49
PayPal Commerce	SAQ A	Yes	Seller Protection	2.99% + $0.49
Shopify Payments	SAQ A	Yes	Shopify Fraud Analysis	2.9% + $0.30 (Basic)

The gap between these is smaller than the marketing suggests. Pick on integration fit and fraud tooling, not a 0.1% fee delta.

The fraud detection layer

Payment providers block the most obvious frauds. They do not block everything. Two patterns I have run into on real stores:

• A store running Stripe Radar on default rules can still take a meaningful hit when an attacker spaces transactions across many fresh accounts and sticks to 3-D Secure-exempt low-ticket amounts. Radar's defaults are tuned for false-positive risk, not maximum block rate.
• Refund-abuse rings hit marketplaces with real cards and real deliveries, then force chargebacks citing "item not received" once the goods have been resold on a gray market.

Layer your fraud defences:

1. Velocity checks. Block more than N orders from the same IP, email, card BIN, or shipping address in a rolling window.
2. Address Verification Service (AVS) and CVV matching. Decline mismatches for first-time cards.
3. 3-D Secure 2 for anything above your average order value. Shifts chargeback liability to the issuer.
4. Email and phone reputation. SEON, Sift, or Kount flag throwaway addresses and recently-ported phone numbers.
5. Device fingerprinting. Radar, Forter, or Signifyd catch repeat attackers even when they rotate cards.

For stores under $2M GMV, Stripe Radar plus a few custom rules is usually enough. Above that, a dedicated fraud vendor pays for itself fast.

Cart abandonment, the security side

Cart abandonment is both a revenue and a security topic. Two threats hide in the "recover abandoned carts" flow:

• Email enumeration. If your reminder email sends only to real customers, an attacker can ping /cart/abandon and learn which emails have accounts. Return the same response for both cases.
• Session hijacking via reminder links. Many plugins bake a magic token into the recovery URL that restores the full session. If the token is long-lived and the page is served over plain HTTP anywhere in the chain, it leaks. Use short TTLs (24 hours max), rotate on use, and force re-auth at checkout.

On the revenue side: recovery emails at 1 hour, 24 hours, and 72 hours still work. Do not stack retargeting pixels that collect card-adjacent data on the reminder page — that quietly drags you back toward SAQ A-EP.

SSL, HTTPS, and HSTS

HTTPS is table stakes. In 2026, a checkout page without HSTS is negligence.

• Use a free Let's Encrypt cert or your CDN-provided cert. Paid EV certificates stopped showing a green bar in browsers years ago.
• Force HTTPS at the edge. No mixed content, no HTTP fallback.
• Turn on HSTS with max-age=31536000; includeSubDomains; preload and submit to the preload list once every subdomain supports TLS.
• Disable TLS 1.0 and 1.1. Keep TLS 1.2 and 1.3. PCI-DSS 4.0 requires this.

For a step-by-step including the errors most people hit on the first try, see my SSL setup guide for business sites.

SQL injection and CSRF in 2026

Both of these are old. Both still show up in the OWASP Top 10 every cycle because frameworks let developers opt out of the safe path.

SQL injection happens when user input gets concatenated into a database query. Fix it with parameterized queries or an ORM. Every major framework — Laravel Eloquent, Django ORM, Rails ActiveRecord, Prisma, Drizzle — handles this by default. The trap is the raw query you wrote "just this once" for a search or report. Audit those.

CSRF (cross-site request forgery) tricks a logged-in customer's browser into making a state-changing request on your site. Fix with:

• CSRF tokens on every form that changes state (cart, address, checkout)
• SameSite=Lax or Strict cookies for session auth
• Re-auth required for password change and saved-card deletion

Modern frameworks ship CSRF protection on by default. Turn it off only if you know exactly what you are replacing it with.

The shop-owner security checklist

Copy this into a shared doc and walk it once a quarter.

Identity and access

• Admin 2FA on every CMS and hosting account
• Unique admin emails — no shared mailbox logins
• Quarterly review of who has admin access; remove ex-staff and ex-agencies

Payments

• A hosted payment flow that keeps you in SAQ A
• 3-D Secure 2 enabled for orders above your average ticket
• Radar (or equivalent) rules tuned to your real order pattern

Platform

• Core CMS, theme, and plugins updated monthly
• Staging site for testing updates before production
• Unused plugins and themes deleted, not just deactivated

Network

• WAF in front (Cloudflare, Sucuri, AWS WAF)
• Rate limits on /login, /register, /checkout, /cart
• DDoS protection via your CDN

Data

• Nightly off-site backups with a tested restore every quarter
• Customer PII encrypted at rest (database-level)
• No card numbers stored on your servers, ever

Monitoring

• Uptime monitor with SMS alerts
• Logs shipped to a place you can search (Datadog, Axiom, CloudWatch)
• Alert on new admin creation, plugin install, and any file change in /checkout

Incident readiness

• Written plan: who calls the processor, who notifies customers, who handles press
• Breach notification template ready for your state and any international customers
• Cyber insurance policy that names ecommerce as covered, not excluded

For the wider business-owner view across all site types, see my website security guide for business owners.

If the worst happens

A checklist is not a shield. If you get hit, the first 48 hours matter most. Isolate the compromised store, preserve logs, notify your processor, rotate every secret. I wrote a step-by-step playbook for that exact scenario: how to recover a hacked website.

How I set up stores for clients

When I build a new ecommerce project through custom web application development, the default 2026 stack is:

• Next.js 16 storefront on Vercel, or Laravel + Filament admin for catalog-heavy stores
• Stripe Payment Element or Adyen Drop-in — never a self-built card form
• Cloudflare in front with WAF rules and bot management
• Postgres or MySQL with field-level encryption for PII
• GitHub Actions running dependency scans on every PR

The lesson from the bolttech work that I keep coming back to: 90% of payment security is a setup decision, not an ongoing heroic effort. On the infrastructure side, the Imohub real estate portal shows how a disciplined stack keeps query times under 0.5s across 120k+ property records while cutting infrastructure cost by 70%. The same principles apply to a high-traffic checkout — most of the work is in picking the right defaults and refusing to drift from them.

FAQ

Do I need PCI compliance if I only take payments through Stripe?

Yes — you still attest to SAQ A once a year. Stripe provides a prefilled template and the whole exercise takes about 20 minutes.

Is Shopify really handling PCI for me?

For Shopify Payments, yes. For third-party gateways on Shopify, read the fine print. Anything that puts card fields back on your theme can push you out of SAQ A.

How often should I run a security audit?

Annually for most stores. Quarterly if you process over $5M GMV or handle any regulated category (health, alcohol, firearms). After any major stack change, regardless of size.

What is the cheapest useful security upgrade?

Admin 2FA plus a Cloudflare Pro plan at $20 per month. Together, those two stop most real attacks I see on small and mid-size stores.

Can I just buy cyber insurance and skip the work?

You can buy it, but the policy will not pay out if you lacked basic controls. Underwriters audit. Expect to prove MFA, backups, and patching before they cut a check.

Do I need a separate fraud tool if I use Stripe Radar?

Below $2M GMV, usually no. Above that, a dedicated tool like Forter, Signifyd, or Sift starts paying for itself in chargeback reduction alone.

Reflecting on the boring discipline

Ecommerce security in 2026 rewards boring discipline, not clever tooling. Keep card data off your servers. Keep your admins behind 2FA. Keep your software updated. Keep a tested backup. Everything else is tuning around the edges.

The stores that get into trouble are not the ones who skipped some advanced control. They are the ones who let "I will get to it" sit on the patch queue for six months. The fix is not a project. It is a recurring two-hour slot on the calendar. Boring is the entire point.

If you want someone to walk the checklist with you and quietly fix the gaps, I help shop owners do exactly that on a fractional CTO retainer or as a scoped project. Related reading: website security for business owners, hacked website recovery, SSL setup guide, WAF vs CDN, and the cost to build an MVP if you are still pre-launch.

Book a free strategy call and I will triage your biggest risks first.