E-Commerce Security Checklist: 30 Security Checks Every UK Online Retailer Must Run

E-Commerce Security Checklist

Work through the following checks for your online store:

• Platform version — are you running the latest version of your e-commerce platform (Shopify, Magento, WooCommerce)? If Magento 1, migrate urgently.
• Plugin/extension currency — are all installed plugins, themes, and extensions up to date? Are any unsupported or abandoned?
• Admin account MFA — do all e-commerce admin accounts require multi-factor authentication?
• Admin account inventory — are all active admin accounts current employees with a legitimate need for admin access?
• Hosting/cPanel security — is your hosting control panel secured with MFA and a unique strong password?
• SSL/TLS — is your site using TLS 1.2 or 1.3? Are you using a current, valid SSL certificate?
• Payment page approach — do customers enter card details on a hosted payment page (SAQ A) or on your own site (additional controls required)?
• Content Security Policy — do you have a CSP header configured that restricts external script sources and data destinations?
• Third-party script inventory — can you name all JavaScript files loaded by your checkout page? Do you know what each one does?
• File integrity monitoring — do you receive alerts when checkout-related files change unexpectedly?
• Automated backups — are your site files and database backed up automatically? When did you last test a restore?
• Penetration testing — when was the last penetration test of your e-commerce site? Were all findings remediated?
• Customer account security — are customers encouraged or required to use strong passwords? Is MFA available?
• Login rate limiting — is the customer login endpoint rate-limited to prevent credential stuffing attacks?
• Error handling — do error pages reveal server or application version information that could aid an attacker?
• GDPR privacy notice — is your privacy notice current, accurate, and accessible before data collection begins?
• Cookie consent — do you have a compliant cookie consent mechanism for analytics and marketing cookies?
• Email marketing consent — do you have documented, time-stamped consent records for all marketing email recipients?
• Data retention — do you have and enforce a data retention policy for customer data, including old order records?
• SAR process — do you have a documented process for responding to Subject Access Requests within 30 days?

Acting on Your Checklist Results

If you identified gaps in this checklist — particularly platform currency, MFA, CSP headers, or payment page approach — prioritise these first as they represent the highest-risk vulnerabilities. Kyanite Blue provides e-commerce security assessments that go deeper than this checklist — including active penetration testing of your checkout pages, Hadrian external attack surface assessment, and review of your third-party script inventory. Contact us for a complimentary 30-minute discussion of your e-commerce security posture.