Whether you sell products to everyday shoppers or other businesses, buyers expect you to understand their needs, deliver personalized experiences, and protect the data they share that enables you to provide what they want.

Securing commerce applications is essential and enterprises have to do this while also allowing the ability to scale unexpectedly during high traffic sales periods, streamlining experiences across regions, and implementing local processes for taxes, shipping, payments, and other logistical challenges.

Letting performance and customer experience slip in favor of security measures isn’t an option either. Improving website speed by even 100 milliseconds can increase conversions by 8.4% — so, even a slight decline in performance can impact your profits.

Fortunately, ecommerce and IT leaders don’t have to choose between security and performance. Adobe Commerce empowers enterprise teams to create safe websites, encrypt data, and ensure secure deployment. Learn how this commerce powerhouse puts security and performance on autopilot.

Secure your digital storefront with Adobe Commerce.

Cyber threats exist everywhere, so keeping your commerce data safe is easier said than done. With over 35 million records breached by cyberattacks in the US in 2024, enterprises need to take a proactive, holistic approach to data security.

That’s where Adobe Commerce comes in. Our trusted high-performance platform enables you to deploy more secure storefronts with minimal downtime and built-in redundancies. The cloud-based platform uses auto-scaling to use resources only when they’re needed, cutting down on processing times without compromising on the user experience. In fact, it can support unlimited traffic and process more than 200,000 orders per hour — perfect for both planned and unplanned peak sale events.

Adobe Commerce includes a range of useful features, such as:

• PCI certification. Payment Card Industry Data Security Standard (PCI DSS) certification is a must if you process customer payment information. Adobe Commerce is certified as a PCI v4.0 compliant provider, which simplifies and supports PCI certification for merchants that use the solution as they can get a PCI Attestation of Compliance from Adobe.

• Automated scanning. With the scanning service in Adobe Commerce store owners can identify potential security issues within their sites. It automatically scans for common threats such as outdated software versions, missing patches, and potential configuration issues. It also provides detailed reports and recommendations to improve site security, helping merchants protect sensitive customer data and prevent cyberattacks.

• Developer community. The active Adobe global developer community is an expertise-filled resource of information and support that can help you keep your security defenses up to date against current and emerging threats.

• Excellent consumer experience. Create exceptionally fast shopping experiences through highly performant microservices for catalog, search, category merchandising, and product recommendations with API response times under 200 milliseconds. With Adobe Commerce, you can also support hundreds of cart items for B2B customers.

3 powerful security capabilities Adobe Commerce provides.

Adobe Commerce is filled with features that allow businesses to better control security over consumer data and finances. Let’s take a closer look at three powerful security capabilities that help keep your data out of harm’s way.

1. Build safe websites.

Both the customer-facing front end and the back end of your site need to be secure. When shoppers know your website is safe, they’re more likely to trust you with their credit card information, address, and other sensitive data.

While security ultimately comes down to development practices, Adobe Commerce supports safe consumer websites in several ways, including:

• SSL certificates. Your site needs an SSL certificate, which secures the website with HTTPS. Since many browsers, including Google, will block access to your site without an SSL, this certificate is a must-have. Secure all pages on your site with HTTPS through Adobe, which provides a domain-validated Let’s Encrypt SSL/TLS certificate.

• Fastly CDN and DDoS protection. Adobe Commerce uses the Fastly content delivery network (CDN), which provides CDN and distributed denial-of-service (DDoS) protection from Layer 3 to Layer 7. The CDN makes it harder to access the origin server directly, while the DDoS feature can help stop disruptive Layer 3 and Layer 4 attacks. You can even create custom rules to block advanced Layer 7 attacks based on criteria such as headers, cookies, request path, and client IP, or indicators like geolocation.

• Web application firewall (WAF). Adobe WAFs use AI-powered threat detection to protect against various vulnerabilities while minimizing false positives. Adobe Commerce includes the Fastly WAF for additional protection, which helps you balance security with optimal performance. Adobe Commerce deploys WAF rules to protect against critical vulnerabilities to provide protection while patch is applied, ensuring you’re always on the cutting edge of protection. Consistently protect your site from known injection attacks, cross-site scripting, data exfiltration, HTTP violations, and other threats.

• Virtual private cloud. The Adobe Commerce Cloud Pro production environment is configured as a virtual private cloud (VPC). This setup isolates all three production servers and only allows limited secure connections. Virtual firewalls limit connections to the cloud, helping to keep you even more secure against cloud-based attacks.

2. Test and encrypt to safeguard customer data.

Testing and encryption are crucial for data protection and commerce security. By regularly testing applications for vulnerabilities and implementing strong encryption methods, businesses can safeguard customer information and ensure secure transactions.

Adobe Commerce comes with lots of built-in security features to help protect your infrastructure against attacks, such as:

• Penetration testing. Adobe conducts annual security testing of the core Adobe Commerce cloud application to spot areas in need of patching. We also make our final testing reports available to customers via the Adobe Trust Center. However, keep in mind that you’ll still need to test custom applications or extensions outside of Adobe.

• Payment gateway. Adobe Commerce only allows payment gateway integrations that directly pass credit card data from the browser to the gateway limiting potential attack surface and exposure risk for this very sensitive information. Commerce also doesn’t store customer card data, which helps reduce the chances of sensitive information being released in a data breach.

• Application security. Adobe Commerce regularly tests its core application for vulnerabilities and participates in the HackerOne Bug Bounty program to proactively identify and resolve vulnerabilities. Our teams follow OWASP and other industry guidelines and uses various tools and processes to continuously improve product security. Security patches are issued regularly, with customers required to apply them within 30 days to remain PCI compliant. Additionally, the application offers a free security scan tool that helps merchants monitor their sites and receive updates about security issues, best practices, and threats.

• Simplified encryption. Adobe Commerce uses Amazon Elastic Block Store (EBS) for storage, and all EBS volumes are encrypted using the AES-265 algorithm. This setup encrypts data both while at rest and in transit between the CDN and the origin, or between the origin servers. The platform also stores customer passwords as hashes and encrypts sensitive credentials using the SHA-256 algorithm.

3. Deploy secure experiences.

Back-end development is crucial for providing your shoppers with secure, best-in-class digital experiences. Adobe Commerce has a unique setup that ensures secure deployment, allowing developers to focus more on creative solutions and less on security checklists.

Adobe Commerce streamlines development through capabilities like:

• Read-only file system. Adobe Commerce deploys executable code as a read-only Squash FS image to help prevent attacks to the environment. Since the filesystem is read-only, there are fewer opportunities for PHP or JavaScript code to be injected.

• Remote deployment. The only way to get executable code into the Adobe Commerce production environment is to run it through a provisioning process. This involves pushing source code from your source repository into a remote repository that initiates a deployment process. The platform limits access to that deployment target, so you have complete control.

• Logging. Adobe Commerce enables a better process of recording and storing information so security teams can monitor for suspicious behavior, investigate security incidents, and identify potential threats, helping you understand and align your organization around the KPIs that matter for success.

• Backups. Manual backups are still important, but Adobe Commerce reduces hassle with automated backups. The production servers back up all cloud activities from Linux, application server, and database logs. A Git repository tracks all source code changes, you can view the deployment history on your Adobe Commerce Cloud dashboard, and all support access is logged.

Stronger security, stronger sales.

Security is non-negotiable, but so is a streamlined shopping experience. Whether you sell to B2C or B2B shoppers, the right tools make commerce security a breeze. From creating safe websites with advanced SSL encryption and DDoS protection to rigorous testing, encryption, and secure deployment practices, Adobe Commerce addresses the critical challenges enterprises face in balancing security with performance.

With features like PCI DSS certification, automated security scanning, and seamless integration of tools for secure development, Adobe Commerce makes your business more resilient against cyber threats and lets you give your customers the data-safe experiences they expect.

Learn about the Adobe Commerce shared responsibility security and operational model.