E-commerce & online stores

Your customers pay with trust.
Do they deserve that trust?

E-commerce sites hold payment data, addresses, and purchase histories. A security flaw doesn't just cost a GDPR fine — it kills customer trust and your revenue with it.

Applicable regulations

PCI-DSS

In force

Payment data security standard. Even if your PSP (Stripe, Mollie) handles the payments, you're still on the hook for your environment.

GDPR — customer data

In force

Names, addresses, emails, purchase histories, payment data: your site stores personal data covered by GDPR.

EU Omnibus Directive

In force

Tighter transparency and security obligations for online sales platforms in the EU.

Common e-commerce vulnerabilities

  • Client-side price manipulation (changing the amount in payment requests)
  • Order enumeration through sequential IDs — reading other customers' orders
  • Customer account takeover through insecure password reset
  • Promo code bypass (reuse, stacking, negative amounts)
  • Product APIs leaking internal data (cost price, margins, exact stock)
  • Vulnerable WooCommerce or Prestashop plugins with unpatched CVEs

We regularly find price manipulation vulnerabilities on WooCommerce and Prestashop stores — modifying order amounts before they reach the payment processor.

FAQ

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit