Security in Ecwid

Last updated

Customers leave some of their most sensitive information in your online store: their names, addresses, and credit card details. That’s why it is necessary to be sure that all of the data in your store is processed in a completely secure way and can’t be accessed by violators. Find out what we do to protect your customers’ data.

In this article:

Ecwid stores always run via HTTPS

Ecwid is always launched using an HTTPS connection. You can always verify this by inspecting the Network session of your store.

In order to indicate that the checkout is secure, Ecwid shows a padlock image on the checkout page.

The Padlock icon shows that the connection is secure

If you installed Ecwid on your own website, remember to take care of the site’s security. Whether you do it or not, your Ecwid store will stay secure anyway, but it is best to protect the site itself as well.

Ecwid doesn’t collect credit card information

Ecwid itself and your store in particular doesn’t deal with your customers’ credit card information. Ecwid doesn’t collect, store or process such data in any way.

Instead, Ecwid supports a number of popular payment gateways that process your customers payment information. All of these payment processors can be divided into two groups based on the way they interact with Ecwid.

Payments on the payment processor’s secure page

When a customer places an order, Ecwid sends the order information to the payment processor and then redirects the customer securely to the payment gateway’s website page where they enter their credit card information. When the payment is done, the payment processor sends a reply (callback) containing the payment status to Ecwid.

So, a customer’s payment information is processed on the payment processor side using a secure protocol.

Payments completed without leaving the store page 

Some payment processors (Stripe, Square, etc.) are integrated with Ecwid quite differently.

When these payment processors are used in a store, customers are not redirected to the payment processor page. They see the payment form right on the checkout page of the store.

In this case Ecwid works within a customer’s browser. Meaning when a customer enters their credit card information, the data is not transferred to the server where your website or store is located. Ecwid connects directly to the payment gateway via a highly secure channel and sends a request with the order information. This information is not transferred to Ecwid servers, and is not stored or collected by us. The payment gateway performs all the necessary operations with this data and returns a callback with the payment status to Ecwid.

This solution was verified and approved by Qualified Security Assessor (QSA).

Ecwid is PCI DSS certified

PCI DSS stands for Payment Card Industry Data Security Standard, and Ecwid is PCI DSS validated Level 1 Service Provider which is the highest international standard for secure data exchanges for online stores and payment systems. This standard was created by Visa, MasterCard, AmEx, Discover and JCB and online stores must comply with it to be able to accept credit cards.

See Ecwid’s Attestation of Compliance with PCI DSS for Level 1 Service Providers.

Ecwid uses secure hosting

All the data in your Ecwid store — products, customers, general information — is stored with Ecwid, so we totally take care of it. We regularly check Ecwid with security scanners, update the software and create backups of your stores. We keep the data on a secure hosting server — Amazon Web Services, the most reliable and secure solution. 

Back to top
Was this article helpful? 13 out of 21 found this helpful