← Back to blog

Cyber Essentials for ecommerce: what online stores need to know before applying

Ecommerce businesses face specific Cyber Essentials considerations around payment pages, customer data, and third-party integrations that other businesses do not.

An online retailer processing a few hundred orders a month has more attack surface than a professional services firm three times its size. The payment page alone introduces dependencies on third-party scripts, card processing integrations, and customer data flows that a law firm or accountancy practice simply doesn't have to think about. When that retailer applies for Cyber Essentials, all of that counts.

Cyber Essentials is often discussed in the context of professional services and public sector supply chains, where it's increasingly required as a condition of winning contracts. But ecommerce businesses have their own reasons to pursue certification, and their own specific considerations when they do, starting with the fact that the thing they're protecting, customer payment and personal data, is exactly what attackers are most interested in.

Why ecommerce businesses have more to think about

A standard business website might have a contact form and a brochure. An ecommerce site has a checkout flow, a payment gateway integration, customer account pages, order history, delivery address records, and often a stack of third-party scripts handling everything from analytics to live chat to abandoned cart recovery. Each integration is a dependency. Each dependency is something that needs to be in scope when you're assessing your security posture.

Cyber Essentials doesn't assess your payment gateway directly, since PCI DSS handles card processing compliance separately, but it does assess the environment around it: the devices your team uses to access order management systems, the security configuration of your web server, the email security on the domain your order confirmation emails come from, and whether the software running your store is kept current and supported.

The controls that matter most for an online store

Secure configuration covers your web server, your ecommerce platform, and any plugins or extensions running on top of it. A Shopify or WooCommerce store with fifteen active plugins each maintained by a different developer needs each of those plugins assessed as part of your overall configuration. A plugin that hasn't been updated in two years and is no longer actively maintained by its developer is a supported-software-versions problem under CE5, regardless of how minor it looks.

Email security matters for ecommerce specifically because your customers expect transactional emails from your domain: order confirmations, dispatch notifications, return authorisations. A domain without proper DMARC and SPF records is one that can be impersonated, and an attacker sending convincing-looking order confirmation emails from your domain to your own customers is a particularly damaging form of phishing.

Access control covers who in your team can access the order management system, customer records, and store backend. The principle of least privilege applies here exactly as it does in any other business: a warehouse assistant processing returns doesn't need the same access to customer data as the owner.

Malware protection and patching apply to every device your team uses to manage the store, including personal devices if they're used to log into the admin panel under a bring-your-own-device arrangement.

What an Olimpio scan surfaces for an ecommerce domain

When you run a scan on your ecommerce domain, Olimpio checks the external attack surface: the security headers on your storefront, email authentication records on your sending domain, SSL certificate configuration, open ports, and exposed configuration that shouldn't be publicly visible. These map directly to the CE2 Secure Configuration controls that make up the bulk of what an automated scan can assess.

The CE Readiness checklist then walks you through the self-assessment questions that a scan can't answer on its own, the device-level and process controls covering access management, malware protection, and patching, giving you a single consolidated view of what needs addressing before you apply.

Frequently asked questions

Do I need Cyber Essentials if I use Shopify or another hosted platform? Yes, even with a hosted platform, the controls covering your devices, your team's access, and your email domain still apply, and the platform itself needs to be in scope as part of your overall configuration assessment.

Does Cyber Essentials replace PCI DSS compliance for card payments? No, they address different things. PCI DSS covers card data handling specifically; Cyber Essentials covers your broader security posture. An ecommerce business processing card payments may need both.

What if we use a third-party payment page that we don't control directly? Outsourcing payment processing to a third party removes card data from your environment, which simplifies PCI DSS scope, but your Cyber Essentials scope still covers everything else: your devices, your admin access, your email domain, and your store configuration.

Can a small ecommerce business realistically get Cyber Essentials certified without an IT team? Yes, and many do. The controls are designed to be achievable without specialist staff, and tools like Olimpio's CE Readiness checklist are specifically built to make the self-assessment questions manageable for a non-technical business owner.

How often do ecommerce businesses fail Cyber Essentials on the first attempt? The most common failure points are outdated plugins, missing email security records, and inconsistent patching across devices, all of which are fixable with advance notice, which is exactly what the pre-assessment process is designed to give you.

Run a free scan of your ecommerce domain and your CE Readiness checklist will show you exactly what to fix before your assessor asks: olimpio.io/free-scan

Want to see what attackers see?

Scan your domain for free — no setup, no technical knowledge needed, results in ~20 minutes. No card required.

Get your free scan →