E-commerce Penetration Testing

Your checkout handles real money. We test what stands between it and an attacker.

Manual penetration testing for online retailers, marketplaces, and payment platforms. Fixed pricing, UK-based consultants, and reports written to satisfy PCI DSS and enterprise procurement requirements.

Why E-commerce Teams Commission Testing

What triggers a penetration test for an online retailer

E-commerce security testing is usually prompted by a compliance requirement, a significant platform change, or a specific incident. These are the most common reasons online retail teams reach out.

01

PCI DSS requirement

Any business that stores, processes, or transmits cardholder data must comply with PCI DSS, which requires penetration testing at least annually and after any significant infrastructure change. A test from an independent provider is required to satisfy the standard.

02

A platform relaunch or migration

Replatforming, migrating to a headless architecture, or launching a new checkout integration introduces new attack surface. Testing before go-live is significantly cheaper than responding to an incident post-launch.

03

Enterprise or marketplace partner requires it

Retailers supplying enterprise clients, or sellers on third-party marketplaces, are increasingly required to demonstrate security testing as part of supplier due diligence or platform onboarding. A pentest report and attestation of testing from a credible provider satisfies most of these requirements.

04

A previous security incident or near-miss

Account takeover campaigns, card-skimming scripts, and checkout-page injection are persistent threats to e-commerce platforms. A prior incident, or a near-miss flagged by monitoring, is often the catalyst to commission a thorough independent assessment.

What We Test

The attack surface for e-commerce platforms

E-commerce platforms carry a specific set of risks: payment and checkout logic that can be manipulated for financial gain, customer accounts that are high-value targets for takeover, and a heavy reliance on third-party scripts that introduce supply-chain risk. Our testing is built around your platform's actual architecture, not a generic web application checklist.

Checkout and payment flow security

Manual testing of the entire purchase flow for price and quantity manipulation, discount and coupon abuse, currency and rounding errors, and order forgery. We verify that your application enforces pricing and inventory constraints server-side, not just in the browser.

Payment integration testing

Testing of your integration with payment providers (Stripe, Braintree, PayPal, etc.) for token mishandling, webhook replay, and manipulation of callback data. We verify that payment confirmation is validated server-side and cannot be spoofed by a malicious client.

Account security and takeover

Testing of registration, login, and account management flows for credential stuffing exposure, weak password reset mechanisms, insecure session handling, and MFA bypass. E-commerce accounts with saved payment methods are high-value targets; we test accordingly. See our web application penetration testing service for a full methodology breakdown.

Third-party script and supply-chain risk

Review of third-party JavaScript loaded on checkout and account pages, including tag managers, analytics, chat widgets, and marketing pixels. Magecart-style attacks compromise checkout pages by injecting skimming scripts via third-party dependencies. We identify scripts with access to sensitive form fields and payment data.

API and backend security

Testing of product, order, and customer APIs for broken authorisation (can one customer access another's orders?), mass assignment, rate limiting gaps, and injection vulnerabilities. Headless and API-first commerce platforms expose significant backend functionality that requires explicit testing. See our API penetration testing service.

Admin panel and infrastructure exposure

Review of externally exposed admin panels, order management systems, and staging or preview environments. Admin credential compromise is one of the most common entry points for e-commerce breaches and is frequently trivial to exploit when access controls are not properly restricted.

What You Receive

Deliverables from every engagement

Every engagement produces the same core deliverables as standard. There are no add-on fees for the report, debrief, or retesting.
01

Executive report

A non-technical summary of findings, risk ratings, and remediation priorities, suitable for senior stakeholders, enterprise procurement audiences, and PCI DSS QSA review.
02

Technical report

A detailed findings report with reproduction steps, severity scoring (CVSS), evidence, and remediation guidance. Structured to support PCI DSS evidence requirements and standard security questionnaire responses.
03

Debrief session

A call to present findings, discuss remediation priorities, and answer questions from your development and operations teams. Included as standard.
04

Free retesting

For external or application security tests, once you've remediated findings, we retest the affected areas at no additional cost to confirm the fixes hold before you share the report with partners or auditors.

Common Questions

E-commerce penetration testing: frequently asked questions

Our penetration testing methodology aligns with PCI DSS v4.0 penetration testing requirements, covering both the cardholder data environment (CDE) and connected systems. The technical report is structured to support your QSA's evidence requirements.

If you have specific segmentation testing requirements or a defined PCI DSS scope, include that in your quote request and we'll confirm exactly what's covered in the written proposal.

We prefer to test against a staging environment for e-commerce platforms, particularly where live payment processing is involved. If a production test is required, we agree rules of engagement in advance that define excluded functionality and confirm that no live transactions will be triggered during testing.

We discuss the testing environment during the scoping call and confirm all constraints in the written proposal before any testing begins.

Yes, subject to platform terms of service. We test the application layer of your store, including your custom theme, extensions, and integrations, rather than the underlying platform infrastructure.

For hosted platforms like Shopify, we focus on the application logic, third-party apps, checkout flow, and API integrations within what the platform permits. We'll clarify scope and constraints during the scoping call.

Pricing is fixed-scope, based on the complexity of the checkout flow, the number of user roles, and the integrations in scope. A standard e-commerce assessment starts from around £2,700, with API testing and third-party script review typically included or scoped as a combined engagement.

See our penetration testing pricing page for more detail, or request a quote and we'll respond with a fixed-price proposal within one business day.

Before testing begins, we'll ask for:

  • Test accounts at each relevant user role (customer, admin, etc.)
  • Access to a staging or test environment, or written approval to test production under agreed constraints
  • Details of any payment integrations in scope and the test credentials or sandbox accounts for them
  • A list of any systems or functionality to exclude from testing

We confirm all of this in the written proposal before testing starts.

Ready to scope your e-commerce penetration test?

Tell us about your platform and payment integrations and we'll respond with a fixed-price proposal within one business day. No obligation.