Security in Ecwid
Customers share some of their most sensitive information in your online store including their names, addresses, and credit card details. That’s why we put forward our best effort to process data in a completely secure manner. Find out what we do to protect your customers’ data.
In this article:
Ecwid stores always run via HTTPS
Ecwid is always launched using an HTTPS connection. You can always verify this by inspecting your store’s network sessions. To indicate checkout is secure, Ecwid shows a message on the checkout page:
Ecwid doesn’t collect credit card information
Ecwid does not actually handle your customers’ credit card information. In fact, we don’t collect, store, or process such data in any way. Rather, Ecwid supports a number of popular payment gateways that process your customers' payment information. These payment processors can be divided into two groups based on the way they interact with Ecwid.
Payments on the payment processor’s secure page
When a customer places an order, Ecwid sends the order information to the payment processor and securely redirects the customer to the payment gateway’s web page where they enter their credit card information. When payment is complete, the payment processor sends a reply (callback) confirming payment to Ecwid.
Payments completed without leaving the store page
Some payment processors (Lightspeed Payments, Stripe, Square, etc.) are integrated with Ecwid differently. With these payment processors, customers are not redirected. Instead, they see a payment form right on the store’s checkout page.
In this case, Ecwid works within a customer’s browser. This way, when a customer enters their credit card information, the data is not transferred to the server where your website or store is located. Ecwid connects directly to the payment gateway via a highly secure channel and sends a request with the order information. This information is not transferred to Ecwid servers, does not pass through, and is not stored by us. The payment gateway performs all operations with this data and returns a callback confirming payment to Ecwid.
This solution was verified and approved by Qualified Security Assessor (QSA).
Ecwid is PCI DSS certified
PCI DSS stands for Payment Card Industry Data Security Standard, and Ecwid is a PCI DSS validated Level 1 Service Provider. This is the highest international standard for secure data exchanges for online stores and payment systems.
See Ecwid’s Attestation of Compliance with PCI DSS for Level 1 Service Providers.
Ecwid uses secure hosting
All data in your Ecwid store — products, customers, general information — is stored with Ecwid. We regularly scan Ecwid for breaches and protect this information with software updates and backups of your stores’ information. We store our data on Amazon Web Services — the most reliable and secure hosting solution.