E-commerce Security: how to harden checkout, payments, and customer data against skimming, fraud, and DDoS

Online stores concentrate payments and personal data at high volume, with permanent public exposure and dependence on third-party plugins. Decripte structures the defense from the edge to compliance and responds to skimming, fraud, and downtime incidents with a containment SLA of up to 1 hour.

Direct answer

To protect an e-commerce operation, Decripte combines four fronts that cover the full risk cycle: Edge Security (WAF, anti-DDoS, and bot protection) to block attacks before they reach the application; a 24x7 SOC monitoring script integrity at checkout (the core defense against web skimming/Magecart); recurring Pentesting to find flaws in plugins, payment integrations, and APIs before the criminal does; and PCI-DSS and LGPD compliance so that the handling of card and customer data withstands an audit and any eventual incident. In the event of a compromise, Decripte's Incident Response operates with a containment SLA of up to 1 hour, isolating the vector, preserving forensic evidence, and restoring the operation. The starting point is the free assessment at decripte.com.br/intelligence-center, which maps the store's public attack surface at no cost. To get started, decripte.io/start.

24/7

SOC monitoring checkout integrity

<=1h

Incident Response containment SLA

PCI-DSS

Requirement for anyone processing card data

LGPD

Law applicable to all customer data

In summary

  • Web skimming (Magecart) is the most dangerous attack in e-commerce because it steals card data straight from the customer's browser, without touching the store's database, and often goes unnoticed for weeks — defending against it requires script integrity monitoring, not just a firewall.
  • The dependence on third-party plugins, themes, and tags (analytics, pixels, gateways) creates a software supply chain in the front-end: a single compromised script at one vendor contaminates the checkout of hundreds of stores.
  • Peak dates (Black Friday, Mother's Day, Christmas) concentrate revenue and criminal attention at the same time: that is when the peaks of DDoS, payment fraud, and bot-driven inventory attacks occur.
  • Anyone who processes, stores, or transmits card data is subject to PCI-DSS; anyone who handles customers' personal data is subject to LGPD, with a duty to notify the ANPD and the data subjects in a relevant incident.
  • Decripte covers the full cycle: Edge Security blocks the attack, the 24x7 SOC detects the anomaly, Pentesting closes the gap before the criminal does, and Compliance prepares the operation for the audit and for the worst-case scenario.
  • In an incident, rapid containment (up to 1h) and evidence preservation determine the size of the loss: each hour of card exfiltration means more harmed customers and greater regulatory exposure.
Varejo e E-commerce

Cibersegurança para E-commerce

Online stores concentrate payments and personal data at high volume, with permanent public exposure and dependence on third-party plugins. Decripte structures the defense from the edge to compliance and responds to skimming, fraud, and downtime incidents with a containment SLA of up to 1 hour.

Why e-commerce is a permanent, not seasonal, target

An online store is, by definition, an application exposed to the public internet 24 hours a day, receiving payment data and personal data in continuous volume. Unlike an internal system, it cannot hide behind a VPN or a corporate network: the attacker and the legitimate customer arrive through the same door. This structural exposure makes digital retail one of the most targeted sectors, and the attack is not an isolated opportunistic act — it is industrialized, automated, and driven by direct financial return. Stolen cards have immediate liquidity in underground markets; customer accounts are worth their data and their loyalty points; and the store's own unavailability can be monetized through extortion.

What makes e-commerce particularly hard to defend is its architecture. The modern store is not a monolithic block controlled by the company: it is a composition of platform (Magento, Shopify, VTEX, WooCommerce, headless platforms), themes, plugins, payment gateways, analytics tools, marketing pixels, chats, recommenders, and dozens of third-party scripts that load in the customer's browser. Each of these components is a vendor, and each vendor is a door. The attack surface of digital retail, therefore, does not end at the company's server — it extends across the entire software supply chain that runs in the front-end.

The real surface of an online store

  • E-commerce application and platform (core, themes, customizations)
  • Third-party plugins and extensions (shipping, payment, loyalty, reviews)
  • Client-side marketing and analytics scripts (tags, pixels, recommenders)
  • Integration with payment gateway and acquirer (PCI-DSS scope)
  • Catalog, cart, login, and checkout APIs (target of bots and scraping)
  • Admin panel and operator accounts (target of credential stuffing)
  • Edge infrastructure: DNS, CDN, certificates, load balancers

The practical consequence is that the defense cannot be piecemeal. Protecting only the server leaves the client-side checkout open to skimming; protecting only the application leaves the edge open to DDoS; and protecting everything technically, but without compliance, leaves the company legally exposed when the incident happens. Decripte treats e-commerce as a complete system — from the edge to the data, from prevention to response.

Web skimming and Magecart: the attack that steals cards without touching your database

Web skimming, also known by the name of the group that popularized it, Magecart, is the most insidious attack in e-commerce because it defies the security intuition of most companies. It does not break into the database, does not leak a table dump, does not trigger the traditional exfiltration alerts on the server. Instead, the attacker injects a small snippet of malicious JavaScript into the checkout page. This code runs in the customer's own browser and, as the person types the card number, expiration date, and CVV into the form fields, it silently copies that data and sends it to a server controlled by the criminal — in parallel with the legitimate processing of the payment. To the customer, the purchase happens normally. To the store, nothing seems wrong. The card, however, has already been cloned.

What makes Magecart especially dangerous is the entry vector. The attacker rarely compromises the store's server directly. Instead, they compromise a component of the front-end software supply chain: an outdated plugin, a theme with a known vulnerability, a JavaScript library hosted by a third party, or the server of an analytics or widget vendor. When that component is loaded by the checkout page, the malicious code comes along with it. A single compromised vendor can simultaneously contaminate the checkout of hundreds of stores that trust that script — it is a supply chain attack with a multiplier effect.

Why a traditional WAF, on its own, does not catch skimming

An application firewall inspects the traffic that reaches the server. Magecart skimming, however, runs in the customer's browser and exfiltrates the data to the attacker's external domain, without passing through the store's server. That is why the core defense is not just the WAF: it is script integrity monitoring (Subresource Integrity, Content Security Policy with reporting, and detection of changes in the checkout DOM) combined with the SOC's continuous surveillance of the domains to which the payment page is sending data. Without this, the exfiltration can last weeks.

The detection window is what separates a controlled incident from a catastrophe. Public Magecart cases show that the code can remain active for weeks or months before being noticed, usually because the discovery comes from outside — an acquirer flags mass fraud associated with the store, or a researcher finds the exfiltration domain. The longer the skimmer stays active, the more cards are stolen, the greater the number of harmed customers, and the more severe the company's exposure before the card brand, the acquirer, and the ANPD.

Controls that reduce skimming risk

  • Restrictive Content Security Policy: an explicit list of domains authorized to load scripts and to receive data (connect-src)
  • Subresource Integrity (SRI) on third-party scripts, to detect changes to the content
  • Checkout integrity monitoring: alerts when a new script or network destination appears on the payment page
  • Inventory and periodic review of all third-party scripts loaded in the front-end
  • Isolation of the card form (hosted fields / gateway iframe) to reduce the PCI scope and exposure to skimming
  • Disciplined hardening and updating of the platform, themes, and plugins (the most common entry vector)
Gestão de Ameaças · Grátis

Is e-commerce data already exposed or up for sale? Find out now — for free.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

Payment fraud, chargeback, and bots: the silent loss of the operation

Not every attack on e-commerce seeks to break into the company — a good part seeks to abuse the store working exactly as it should. Payment fraud uses stolen cards (often obtained via skimming at other stores) to make purchases that are legitimate from a technical standpoint. When the real cardholder disputes the charge, the chargeback comes: the store loses the merchandise, loses the amount, pays fees, and also accumulates dispute rates that, if high, lead to penalties and even termination by the acquirer. Payment fraud, therefore, is not just a unit loss — it is an operational risk that threatens the very ability to process cards.

Bots are the engine of much of this abuse and of several others. Credential stuffing bots test, en masse, combinations of email and password leaked on other sites to hijack customer accounts (with their saved cards and loyalty points). Card testing bots validate lists of stolen cards by making micro-transactions at the store, generating noise and fees. Scraping bots copy the entire catalog, prices, and stock for competitors or aggregators. And inventory hoarding bots add high-demand products to the cart en masse to exhaust stock and resell them — a chronic problem in launches and peak dates.

The bot traffic the store does not see in Google Analytics

  • Credential stuffing: account hijacking with credentials leaked from third parties
  • Card testing: validation of stolen cards via micro-transactions
  • Catalog and price scraping: unauthorized competitive intelligence
  • Inventory hoarding / scalping: artificial stock exhaustion at launches
  • Fake account creation: abuse of coupons, cashback, and referral programs
  • Inventory denial: products locked in carts to sabotage the operation

Combating this abuse is a specific discipline: bot management at the edge, which distinguishes legitimate human traffic from malicious automation through behavioral signals, source reputation, adaptive challenges, and pattern analysis — without harming the real customer's experience or legitimate bot traffic (such as search crawlers). Decripte implements this layer in Edge Security and correlates the events in the SOC, so that a spike in login attempts or declined transactions becomes an investigable alert, not just a line in a log.

Technical anti-fraud vs. business anti-fraud

There is an important distinction. Transactional anti-fraud (transaction risk scoring, gateway/acquirer rules, purchase behavior analysis) is a business layer that reduces chargebacks. Cybersecurity acts on the prior and parallel layer: preventing credentials from being tested en masse, cards from being validated in your store, accounts from being hijacked, and the checkout from being tampered with. Decripte strengthens this cyber layer and integrates it with the existing anti-fraud — the two need to talk to each other.

DDoS and downtime on peak dates: when every minute offline is lost revenue

For e-commerce, availability is direct revenue. Every minute the store is offline during a campaign is a lost sale that does not come back — the customer goes to the competitor and, often, does not return. That is why digital retail is a recurring target of distributed denial-of-service (DDoS) attacks, and the timing is not random: attackers choose exactly the moments of greatest value — Black Friday, Mother's Day, Christmas, launches, and sales — because that is when downtime hurts most and when the pressure to 'make the problem go away' is greatest, opening space for extortion (ransom DDoS).

Denial-of-service attacks have distinct layers and require distinct defenses. Volumetric attacks (layers 3 and 4) try to saturate the bandwidth and infrastructure with raw traffic, and are mitigated at the edge, before they reach the origin, by an absorption network with capacity far greater than that of the attack. Layer 7 (application) attacks, on the other hand, are more sophisticated: they simulate legitimate requests — searches, cart additions, logins — to exhaust expensive back-end resources with relatively low volume, easily confused with a genuine Black Friday peak. Distinguishing one from the other in real time, under pressure, is precisely the SOC's job.

The Black Friday paradox

On the date of greatest legitimate traffic, the store must absorb real peaks without blocking customers and, at the same time, repel layer 7 DDoS that disguises itself as a customer. Rules that are too strict block real buyers and kill conversion; rules that are too loose let the attack through. The correct response is not static: it is active monitoring in the SOC, with fine-tuning of edge rules in real time during the critical window. That is why Decripte treats peak dates as an operational regime of their own, with prior preparation and dedicated on-call coverage.

Defense against downtime goes beyond DDoS. It involves infrastructure hardening, capacity planning, well-configured cache and CDN, DNS resilience, and a response plan that includes adaptive rate limiting and waiting rooms to degrade gracefully instead of going down completely. Decripte structures this layer in Edge Security and validates it in the simulations that precede the major dates.

Customer data breach: the LGPD dimension of the incident

Every online store is, in the language of LGPD, the controller of a large base of personal data: name, CPF, address, phone, purchase history, and frequently payment data. A leak of this base — whether through an application breach, exploitation of a poorly protected API, compromise of a plugin, or a misconfiguration that exposes a bucket or a database — is not just a technical and reputational problem: it is a regulatory incident that triggers concrete legal duties.

The General Data Protection Law (Law 13.709/2018) determines that, in a security incident that may entail relevant risk or harm to the data subjects, the controller must notify the National Data Protection Authority (ANPD) and the affected data subjects within a reasonable time, in accordance with the ANPD's current regulations on incident communication. The company must demonstrate that it adopted adequate security measures, that it detected the incident, that it contained it, and that it is mitigating the harm. Without detection capability and without preserved forensic evidence, the store cannot even gauge the size of the leak — and answering 'we don't know what was exposed' to the ANPD and to the customer is the worst possible scenario.

The store's duties in a breach (LGPD/ANPD view)

  • Notify the ANPD and the data subjects when there is relevant risk or harm, within the timeframe of the applicable regulation
  • Maintain a record of processing operations and of the security measures adopted (accountability)
  • Demonstrate technical and administrative measures capable of protecting the data (art. 46 of LGPD)
  • Contain the incident, preserve evidence, and gauge the real scope of what was exposed
  • Appoint a data protection officer (DPO) as the channel with the ANPD and the data subjects
  • Review and fix the root cause to prevent recurrence

There is also the interface with PCI-DSS when card data is involved. The Payment Card Industry Data Security Standard, maintained by the PCI Security Standards Council, defines technical and procedural requirements for any organization that processes, stores, or transmits card data. In an incident affecting card data, the contractual obligations with the card brand and the acquirer are added to the LGPD duties, which may include forensic investigation by a qualified firm, fines, and a review of accreditation. Decripte structures the operation to reduce the PCI scope (for example, by keeping card data outside the store's environment via fields hosted by the gateway) and to respond methodically when the worst happens.

Gestão de Ameaças · Grátis

What would an incident in e-commerce cost? See your real risk before it happens.

Sem cartão, sem compromisso. Descubra em minutos o que já vazou da sua empresa e qual é o seu risco real.

How Decripte structures e-commerce defense: from the edge to the data

Defense in depth, from the client to the back-end

Decripte does not sell isolated boxes; it structures a layered defense in which each control covers the blind spot of the previous one. At the edge, Edge Security absorbs DDoS, filters malicious requests with a WAF, and manages bots before the traffic reaches the application. At the application and checkout layer, script integrity monitoring and SOC surveillance detect skimming and tampering. At the discovery layer, Pentesting finds the gaps in plugins, APIs, and payment integrations before the attacker does. And, cross-functionally, Compliance ensures that all of this withstands an audit and an incident.

The layers Decripte implements

  • Edge: WAF, anti-DDoS (layers 3/4 and 7), bot management, rate limiting, DNS and TLS protection
  • Checkout: CSP, SRI, integrity monitoring and exfiltration-destination monitoring (anti-skimming)
  • Application and APIs: hardening, admin access control, MFA, credential protection
  • Monitoring: 24x7 SOC correlating edge, application, and checkout events
  • Discovery: Pentesting and vulnerability management on platform, plugins, and integrations
  • Compliance: PCI-DSS scoping and LGPD, with readiness for response and notification

The operational differentiator is correlation. A spike in declined logins (a sign of credential stuffing), a transaction that appears on a new exfiltration domain (a sign of skimming), and a sudden increase in heavy search requests (possible layer 7 DDoS) are, in isolation, noise. Seen together by the SOC, with sector context, they become an investigable and actionable picture. It is this integrated view that makes it possible to act in minutes — and not discover the problem weeks later, through the acquirer.

Start with the free assessment

Before any contract, Decripte offers a free Threat Management assessment at decripte.com.br/intelligence-center, which maps the store's public attack surface — domains, exposure, signs of compromise, and risk — at no cost and with no installation. It is the most objective way to understand where the operation is vulnerable before deciding priorities. To get started, decripte.io/start; to speak with a specialist, decripte.io/contato.

Pentesting and vulnerability management: finding the gap before the criminal

Most e-commerce compromises begin in a known and avoidable gap: an outdated plugin with a public vulnerability, a cart API that exposes other customers' data when an identifier is manipulated, an admin panel accessible without MFA, a payment configuration that allows amounts to be manipulated in the front-end. Decripte's Pentesting simulates the real attacker against these points, focusing on what matters for digital retail: the chain of plugins and themes, the payment integrations, the catalog/cart/checkout APIs, and the authentication and account recovery flows.

The test is guided by recognized methodologies — among them the OWASP Top 10 for web application risks and the OWASP API Security Top 10 for the specific risks of APIs, which are today the heart of any modern and headless e-commerce. Vulnerabilities such as object-level access control flaws (accessing another customer's order by swapping an ID), injections, exposure of sensitive data, and insecure configurations are exactly what Pentesting looks for before they are exploited in production.

What Pentesting usually finds in stores

  • Plugins and extensions with unpatched public CVEs (the classic Magecart vector)
  • APIs that return other users' data due to an authorization flaw (BOLA/IDOR)
  • Admin panel without MFA and with reused/weak passwords
  • Price or shipping manipulation in the client-side checkout flow
  • API tokens and keys exposed in the front-end JavaScript
  • Missing or overly permissive CSP configurations, opening space for skimming

Pentesting is not a one-off event: vulnerability management turns the findings into a continuous cycle of identification, prioritization by real risk, and verified remediation. In an environment that changes every week — new plugins, new campaigns, new integrations — testing once a year leaves eleven months of exposure. Decripte structures the cadence appropriate to the pace of the operation, with retesting to confirm that the fix really closed the gap.

Compliance as armor: PCI-DSS and LGPD in retail practice

Compliance, in e-commerce, is not bureaucracy — it is the difference between a manageable incident and an existential crisis. PCI-DSS organizes the protection of card data into concrete requirements: segmentation and scope reduction, protection of data at rest and in transit, access control, monitoring and regular testing, and vulnerability management. Meeting PCI-DSS not only satisfies the acquirer's requirement: it forces the store to adopt the controls that, in practice, prevent skimming and leaks. And keeping card data outside the store's environment (via tokenization and fields hosted by the gateway) drastically reduces the standard's scope and the attack surface.

LGPD complements this, covering all the rest of the customer data. Compliance with LGPD requires a legal basis for processing, adequate technical and administrative security (art. 46), documented governance, the ability to serve data subjects' rights, and, crucially, readiness to detect, contain, and communicate incidents to the ANPD and the data subjects when there is relevant risk. Decripte connects the two worlds: the technical controls it implements at the edge, in the checkout, and in the application are exactly the evidence that supports compliance — and the incident response plan is what makes it possible to meet the legal deadlines under pressure.

PCI-DSS and LGPD: what each one covers

  • PCI-DSS: card data (PAN, expiration, CVV), processing, storage, and transmission; a requirement of the card brands/acquirers
  • LGPD: all customers' personal data (name, CPF, address, history); Brazilian law, enforced by the ANPD
  • Intersection: card data are also personal data — an incident can trigger both regimes at the same time
  • PCI scope reduction: tokenization and hosted fields take the card out of the store's environment
  • LGPD accountability: documenting security measures is a legal duty, not optional
  • Response: both require the ability to detect, contain, and report — which presupposes a SOC and an IR plan

Important: Decripte structures the security and the compliance readiness. Formal PCI-DSS certification is issued according to the process of the PCI Security Standards Council itself and its qualified assessors; what Decripte delivers is the security engineering that makes the operation approvable and resilient, plus technical support throughout the process. The same applies to LGPD: Decripte covers the information security dimension the law requires, in coordination with the company's legal and governance structure.

Anatomy of a Black Friday skimming (real de-identified example)

Real, de-identified example

The scenario below is real and de-identified — it does not identify the client, but rather the typical anatomy of a web skimming incident in digital retail, built from public patterns of Magecart attacks and from the way Decripte operates. Imagine a mid-sized store, with a popular platform and dozens of plugins, that processes thousands of orders per day and multiplies that volume in Black Friday week. Weeks before the date, a reviews plugin installed in the store is compromised at the vendor's origin: a tampered JavaScript starts being served to all stores that use that component. The code injects, into the checkout page, a skimmer that copies the card number, expiration date, and CVV typed by the customer and sends them to an external domain controlled by the attacker, disguised as an analytics server. The store does not notice: the purchases complete normally, the server records no exfiltration, and the sales dashboards only show growth.

  1. Dormancy (weeks before)

    The skimmer runs silently in the customers' browsers. With each purchase, a card is cloned and sent to the attacker's domain. Without checkout integrity monitoring, nothing is triggered. The risk grows invisibly, accumulating victims with each peak hour.

  2. Detection (Black Friday, early hours)

    Decripte's 24x7 SOC, monitoring the integrity of the payment page scripts, identifies a new and unauthorized network destination receiving data from the card form — a domain outside the expected Content Security Policy. The alert is classified as critical and the Incident Response team is activated immediately.

  3. Containment (SLA up to 1h)

    Within the containment SLA of up to 1 hour, Decripte blocks the exfiltration domain at the edge (WAF), neutralizes the malicious script via CSP adjustment and removal of the compromised component, and isolates the affected plugin. The card-theft flow is interrupted without taking down the checkout at the campaign's peak — the sales operation continues, now secure.

  4. Eradication

    The forensic team identifies the root cause: the reviews plugin compromised in the supply chain. It removes the malicious version, validates that no other script was tampered with, reviews all third-party front-end components, and reinforces the CSP and SRI to prevent reinjection. The administrative credentials are rotated as a precaution.

  5. Recovery

    The checkout is restored with the component replaced by a trusted and monitored alternative. Decripte deploys continuous checkout integrity monitoring and edge rules specific to the peak window. The operation returns to normal with reinforced observability and dedicated on-call coverage during the rest of the campaign.

  6. Scoping and notification

    With the evidence preserved, the team gauges the exposure window and the set of potentially affected transactions. Decripte supports the store in assessing the duties to notify the ANPD and the data subjects under LGPD and in the interface with the acquirer regarding PCI-DSS, providing the technical-forensic report that supports the regulatory response.

  7. Lessons and hardening

    The incident becomes a permanent program: inventory and governance of third-party scripts, checkout integrity monitoring as a standard control, a Pentesting cadence over the plugin chain, and specific preparation for peak dates. The store comes out of the incident with a security posture structurally superior to the previous one.

Outcome with Decripte

In this real de-identified example, the difference between catastrophe and controlled incident was early detection and containment within 1 hour. Instead of weeks of cloned cards discovered belatedly by the acquirer, the exfiltration was interrupted in the early hours of Black Friday, with the sales operation preserved at the moment of greatest revenue. Decripte did not merely contain the attack: it structured the defense so that skimming, fraud, and downtime would cease to be blind spots. It is exactly this cycle — detect, contain, eradicate, and harden — that Decripte delivers to digital retail.

Resposta a Incidentes · 24/7

Don’t wait for the incident. Start hardening e-commerce today.

Comece pelo diagnóstico gratuito agora e veja em minutos o que já vazou. SOC 24x7 e contenção em até 1h nos planos pagos.

How Decripte responds to an e-commerce incident

Decripte's incident response follows a strong and repeatable method, with a containment SLA of up to 1 hour. In digital retail, where every minute offline or every hour of exfiltration is a direct loss, the speed and rigor of the response determine the size of the damage. The flow below describes how Decripte operates when the worst happens.

  1. Detection and triage: the 24x7 SOC identifies the anomaly — a new exfiltration destination at checkout, a spike in fraudulent transactions, a surge of declined logins, or availability degradation — and classifies the severity in minutes, activating the Incident Response team.
  2. Immediate containment (SLA up to 1h): isolation of the vector without taking down the operation — blocking the exfiltration domain and the malicious script at the edge, suspending the compromised component, mitigating the DDoS or rate-limiting the abuse, as the case may be.
  3. Evidence preservation: forensic collection and custody of logs, script versions, checkout captures, and network artifacts, ensuring the chain of evidence needed to gauge the incident and support the regulatory response.
  4. Root-cause eradication: identification of the origin (compromised plugin, vulnerable API, hijacked credential), complete removal of the malicious artifact, credential rotation, and remediation of the vulnerability that allowed the entry.
  5. Secure recovery: restoration of the checkout and the operation with the component replaced and validated, reinforcement of CSP/SRI and edge rules, and continuous integrity monitoring to confirm that the environment is clean.
  6. Scoping and regulatory support: technical assessment of the scope of exposed data and support to the store in the duties to notify the ANPD and the data subjects (LGPD) and in the interface with the acquirer and card brand (PCI-DSS), with a technical-forensic report.
  7. Lessons learned and hardening: turning the incident into permanent improvements — third-party script governance, Pentesting cadence, standard checkout monitoring, and preparation for peak dates — to prevent recurrence.
  8. Continuous follow-up: integration of the learning into the 24x7 SOC and vulnerability management, with periodic posture reviews and reinforced on-call coverage during the critical windows of the commercial calendar.

How Decripte structures e-commerce security

More than responding to incidents, Decripte structures the operation so that they are rare, detectable, and manageable. The defense of digital retail is built on pillars that cover the edge, the checkout, the application, monitoring, and compliance — in depth, so that the failure of one control is caught by another.

Edge Security and bot management

A WAF to filter malicious requests, anti-DDoS to absorb volumetric peaks and layer 7 attacks without taking down the store, and bot management to block credential stuffing, card testing, scraping, and inventory hoarding. It is the first line, reducing the noise and the attack volume before it reaches the application — calibrated so as not to harm real customer conversion.

Checkout protection and anti-skimming

A restrictive Content Security Policy, Subresource Integrity, and continuous integrity monitoring of the payment page, which detects new scripts and unauthorized exfiltration destinations. Combined with PCI scope reduction via fields hosted by the gateway, it is the core defense against Magecart — the attack the firewall alone does not see.

24x7 SOC and correlated detection

Uninterrupted monitoring that correlates edge, application, and checkout events into an investigable picture. An isolated signal is noise; seen together, they become an actionable alert. It is what turns the detection window from weeks into minutes and enables containment within the SLA.

Pentesting and vulnerability management

Recurring offensive testing guided by OWASP Top 10 and OWASP API Security Top 10, focused on the plugin chain, the payment integrations, and the catalog, cart, and checkout APIs. The findings enter a continuous cycle of prioritization, remediation, and retesting, keeping pace with the store's rate of change.

PCI-DSS and LGPD compliance

Security engineering that makes the operation approvable in PCI-DSS and adherent to LGPD: card data scope reduction, documented accountability, adequate technical measures (art. 46), and response readiness to meet the notification duties to the ANPD and the card brands when an incident occurs.

Incident Response readiness

An IR plan with a containment SLA of up to 1 hour, retail-specific runbooks, forensic preservation, and reinforced on-call coverage on peak dates. The defense is only complete when the operation knows exactly what to do, and in how much time, the minute the attack is detected.

Recommended plans for E-commerce

Frequently asked questions

I have a WAF in my store. Does that protect me from web skimming (Magecart)?

Not entirely. The WAF inspects the traffic that reaches your server, but Magecart skimming runs in the customer's browser and sends the card data straight to an attacker's domain, without passing through your server. The core defense against skimming is checkout integrity monitoring (CSP, SRI, and detection of new scripts and destinations on the payment page), combined with SOC surveillance. The WAF is necessary, but not sufficient — that is why Decripte works both layers together.

Why does skimming go undetected for so long?

Because it does not trigger the traditional alerts: it does not break into the database, does not generate a table dump, and the purchases complete normally. The code merely copies what the customer types and sends it out. Without checkout integrity monitoring, the store only finds out when the acquirer flags mass fraud associated with it — which can take weeks. It is exactly this window that Decripte closes with continuous detection.

How does Decripte protect my store on peak dates like Black Friday?

We treat peak dates as an operational regime of their own: prior preparation (hardening, testing, capacity planning), edge rules calibrated to absorb legitimate traffic without blocking customers, mitigation of layer 3/4 and 7 DDoS, and dedicated SOC on-call coverage to adjust the defense in real time. The goal is for the store to absorb the real sales peak and, at the same time, repel the layer 7 DDoS that disguises itself as a customer.

Am I required to follow PCI-DSS? And LGPD?

If you process, store, or transmit card data, you are subject to PCI-DSS, which is a requirement of the card brands and acquirers. And since every store handles customers' personal data (name, CPF, address, history), you are subject to LGPD, enforced by the ANPD. Both can be triggered at the same time in an incident. Decripte structures the security that makes the operation approvable in PCI-DSS and adherent to LGPD, in coordination with your legal team.

What actually happens, in practice, if my store suffers a data breach?

Under LGPD, if the incident could generate relevant risk or harm to the data subjects, you must notify the ANPD and the affected customers within the regulatory timeframe, demonstrate the security measures adopted, and mitigate the harm. If there is card data, obligations with the acquirer and the card brand under PCI-DSS are added. Decripte contains the incident within 1 hour, preserves the evidence, gauges the real scope of the breach, and provides the technical-forensic report that supports your regulatory response.

Do bots really harm my store if they don't take the site down?

Yes, and silently. Credential stuffing bots hijack customer accounts with saved cards; card testing bots use your store to validate stolen cards, generating fees and noise; scraping bots deliver your catalog and prices to competitors; and inventory hoarding bots exhaust the stock of sought-after products. Bot management at the edge distinguishes malicious automation from a legitimate human and blocks the abuse without affecting real conversion.

How long does Decripte take to contain an incident?

Incident Response operates with a containment SLA of up to 1 hour from activation. In e-commerce, where every hour of card exfiltration or downtime is a direct loss, this speed is what separates a controlled incident from a crisis. Containment isolates the vector without necessarily taking down the operation — in the de-identified case, the card theft was interrupted without taking the checkout offline at the peak of Black Friday.

How do I start, with no commitment?

Start with the free Threat Management assessment at decripte.com.br/intelligence-center: it maps your store's public attack surface — exposure, domains, and signs of compromise — at no cost and with no installation. From the result, you decide priorities. To get started, go to decripte.io/start; to speak with a specialist, decripte.io/contato.

Sector terms

Web skimming / Magecart
An attack in which a malicious JavaScript is injected into the checkout page and copies the card data typed by the customer, sending it to an attacker's server. It runs in the customer's browser, without touching the store's database, which makes it hard to detect without checkout integrity monitoring. Magecart is the common name for the groups that carry out this type of attack.
Credential stuffing
Automated abuse in which bots test, en masse, combinations of email and password leaked on other sites to hijack customer accounts at the store — with their saved cards and loyalty points. It is countered with bot management, MFA, and monitoring of login surges.
Chargeback
A dispute of a charge by the cardholder. In e-commerce, it is the financial consequence of payment fraud: the store loses the merchandise and the amount, pays fees, and, with high dispute rates, may suffer penalties or termination by the acquirer.
PCI-DSS
Payment Card Industry Data Security Standard, a set of security requirements maintained by the PCI Security Standards Council for organizations that process, store, or transmit card data. It covers segmentation, data protection, access control, monitoring, and testing.
LGPD
General Data Protection Law (Law 13.709/2018), which governs the processing of personal data in Brazil. It requires a legal basis, adequate technical and administrative security, governance, and communication of relevant incidents to the ANPD (National Data Protection Authority) and to the affected data subjects.
Layer 7 DDoS
A denial-of-service attack that targets the application layer, simulating legitimate requests (searches, logins, cart additions) to exhaust back-end resources with relatively low volume. It is harder to distinguish from a real traffic peak than volumetric DDoS, requiring active SOC monitoring.

Decripte protects and responds to incidents in e-commerce.

Pentest, 24x7 SOC, incident response with a 1-hour containment SLA and compliance — without building an internal team. Or start free by seeing what has already leaked from your company.