E-commerce Penetration Testing
Your checkout handles real money. We test what stands between it and an attacker.
Why E-commerce Teams Commission Testing
What triggers a penetration test for an online retailer
E-commerce security testing is usually prompted by a compliance requirement, a significant platform change, or a specific incident. These are the most common reasons online retail teams reach out.
PCI DSS requirement
Any business that stores, processes, or transmits cardholder data must comply with PCI DSS, which requires penetration testing at least annually and after any significant infrastructure change. A test from an independent provider is required to satisfy the standard.
A platform relaunch or migration
Replatforming, migrating to a headless architecture, or launching a new checkout integration introduces new attack surface. Testing before go-live is significantly cheaper than responding to an incident post-launch.
Enterprise or marketplace partner requires it
Retailers supplying enterprise clients, or sellers on third-party marketplaces, are increasingly required to demonstrate security testing as part of supplier due diligence or platform onboarding. A pentest report and attestation of testing from a credible provider satisfies most of these requirements.
A previous security incident or near-miss
Account takeover campaigns, card-skimming scripts, and checkout-page injection are persistent threats to e-commerce platforms. A prior incident, or a near-miss flagged by monitoring, is often the catalyst to commission a thorough independent assessment.
What We Test
The attack surface for e-commerce platforms
E-commerce platforms carry a specific set of risks: payment and checkout logic that can be manipulated for financial gain, customer accounts that are high-value targets for takeover, and a heavy reliance on third-party scripts that introduce supply-chain risk. Our testing is built around your platform's actual architecture, not a generic web application checklist.
Checkout and payment flow security
Payment integration testing
Account security and takeover
Third-party script and supply-chain risk
API and backend security
Admin panel and infrastructure exposure
What You Receive
Deliverables from every engagement
Executive report
Technical report
Debrief session
Free retesting
Common Questions
E-commerce penetration testing: frequently asked questions
Our penetration testing methodology aligns with PCI DSS v4.0 penetration testing requirements, covering both the cardholder data environment (CDE) and connected systems. The technical report is structured to support your QSA's evidence requirements.
If you have specific segmentation testing requirements or a defined PCI DSS scope, include that in your quote request and we'll confirm exactly what's covered in the written proposal.
We prefer to test against a staging environment for e-commerce platforms, particularly where live payment processing is involved. If a production test is required, we agree rules of engagement in advance that define excluded functionality and confirm that no live transactions will be triggered during testing.
We discuss the testing environment during the scoping call and confirm all constraints in the written proposal before any testing begins.
Yes, subject to platform terms of service. We test the application layer of your store, including your custom theme, extensions, and integrations, rather than the underlying platform infrastructure.
For hosted platforms like Shopify, we focus on the application logic, third-party apps, checkout flow, and API integrations within what the platform permits. We'll clarify scope and constraints during the scoping call.
Pricing is fixed-scope, based on the complexity of the checkout flow, the number of user roles, and the integrations in scope. A standard e-commerce assessment starts from around £2,700, with API testing and third-party script review typically included or scoped as a combined engagement.
See our penetration testing pricing page for more detail, or request a quote and we'll respond with a fixed-price proposal within one business day.
Before testing begins, we'll ask for:
- Test accounts at each relevant user role (customer, admin, etc.)
- Access to a staging or test environment, or written approval to test production under agreed constraints
- Details of any payment integrations in scope and the test credentials or sandbox accounts for them
- A list of any systems or functionality to exclude from testing
We confirm all of this in the written proposal before testing starts.
Ready to scope your e-commerce penetration test?
Tell us about your platform and payment integrations and we'll respond with a fixed-price proposal within one business day. No obligation.
