E-commerce is the front line of card fraud
Every online storefront is a target. Card-not-present fraud hit $38 billion globally in 2024. Account takeover attacks continue to rise. Magecart skimming campaigns compromise checkout pages across tens of thousands of sites simultaneously. PCI DSS 4.0 (enforced since March 2025) tightens requirements specifically for e-commerce. Payment page script integrity monitoring, enhanced authentication, and mandatory annual penetration testing.
Valtik works with DTC brands, multi-brand retailers, marketplaces, and commerce platforms across Shopify, WooCommerce, Magento, BigCommerce, Salesforce Commerce Cloud, and custom builds. Our engagements map directly to PCI DSS 4.0 requirements and the fraud patterns actually hurting merchants.
Who we work with
Direct-to-consumer brands
DTC brands from emerging to $100M+ revenue. Typical engagements focus on Shopify security configuration, custom theme code audit, app ecosystem vetting, payment page script monitoring, and social engineering defense for customer service teams.
Multi-brand retailers and marketplaces
Multi-brand operations running headless commerce, marketplaces connecting vendors and buyers, and retailers with franchisee or reseller networks. Tenant isolation, API security, and vendor onboarding controls become first-class concerns.
Commerce platforms and tech vendors
Companies selling into merchants (OMS, PIM, subscription platforms, returns management, fraud screening). PCI DSS alignment for Service Providers, SOC 2 for B2B distribution, and the security questionnaire responses enterprise merchant customers require.
Payment processors and acquirers
PCI DSS for Service Providers is a different scope than merchant compliance. Our engagements cover Level 1 and Level 2 Service Provider requirements including more stringent pentest cadence and segmentation testing.
PCI DSS 4.0 changes that hit e-commerce hardest
Requirement 6.4.3. Script inventory
Every script loaded on pages handling cardholder data must be inventoried, justified, and authorized. Third-party scripts (analytics, chat, A/B testing, ad pixels) are the primary target. Merchants who have never audited payment page scripts are failing this.
Requirement 11.6.1. Change detection on payment pages
Changes to scripts loaded on payment pages must be detected and alerted. This is the defense against Magecart-style injections. Implementation options: subresource integrity hashes, client-side monitoring tools (Feroot DomainGuard, Human Security), or custom change detection.
Requirement 8.3. Phishing-resistant MFA
MFA on all administrative access to CDE systems. Not SMS. Not email. Phishing-resistant (TOTP at minimum, FIDO2/passkeys preferred). Enforcement is strict under 4.0.
Requirement 11.4. Penetration testing
Annual internal and external penetration tests plus segmentation testing. Unchanged in concept from 3.2.1 but enforcement is stricter. See our PCI DSS 4.0 Penetration Testing page.
Common e-commerce findings
Price and coupon logic flaws
Race conditions at checkout, coupon stacking, quantity manipulation to trigger negative totals, bulk order logic that bypasses fraud limits. Business logic testing is where real dollars-per-finding show up for e-commerce clients.
Third-party app risk
Shopify, WooCommerce, and Magento ecosystems include tens of thousands of apps. Every app installed expands your attack surface. We inventory installed apps, assess permissions, and identify the ones that do not belong.
Admin panel exposure
Magento admin at predictable paths, WordPress admin on e-commerce sites, Shopify custom apps with overly permissive scopes. Compromise of admin access typically means full store takeover.
Account takeover
Credential stuffing via leaked breach data, session replay, insufficient rate limiting on login. ATO leads to stored-card fraud, loyalty point theft, and fraudulent orders. Defenses include MFA, device fingerprinting, behavioral analytics, and integration with threat intelligence feeds.
API security
Headless commerce expands the API attack surface. GraphQL introspection leaks, REST IDOR on order endpoints, authentication gaps on internal APIs exposed to the storefront. We test every API endpoint with OWASP API Top 10 as the baseline.
Services for e-commerce clients
- PCI DSS 4.0 Penetration Testing. Annual mandatory testing
- Payment page script monitoring setup (Req 6.4.3 and 11.6.1)
- Business logic and checkout flow testing
- Account takeover defense assessment
- API security testing for headless commerce
- Third-party app and integration risk review
- Fraud pattern analysis and prevention
- Post-breach assessment and Magecart remediation