List of ecommerce platforms that are not secure by default

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes	The site is secure, loaded via https
Dual	The site can be loaded via http, or via https.
Invalid	The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial	The site loads via https, but loads some parts of the page without https. The site is insecure.
No	The site is loaded via http, not via https.
Fixed	The site is loaded via https, but at the time of first writing it was loaded via http.
??	We could not find a website to evaluate.

We tested 63 ecommerce companies. We found 9 ecommerce companies that did not have a secure home page (not https or did have https with
an invalid security certificate). That is 14% of ecommerce companies have security vulnerabilities.

Some of the websites shown below no longer have active links. For those websites we have listed the URL but removed the non-working link.

Ecommerce company	Secure	Home Page
2C2P	Yes	https://www.2c2p.com/
Adyen	Yes	https://www.adyen.com/
Alipay	Yes	https://intl.alipay.com/
Amazon Pay	Yes	https://pay.amazon.com/uk
Apple Pay	Yes	https://www.apple.com/uk/apple-pay/
Atos	Yes	https://atos.net/en-gb/united-kingdom
Authorize.Net	Yes	https://www.authorize.net/
Bambora	Yes	https://www.bambora.com/sv/overview/#market-select
BitPay	Yes	https://bitpay.com/
BPAY	Yes	https://www.bpay.co.uk/
Braintree	Yes	https://www.braintreepayments.com/en-gb
CM Telecom	Yes	https://www.cm.com/
Creditcall	Yes	https://www.creditcall.com/
CyberSource	Yes	https://www.cybersource.com/en-EMEA/
DigiCash	Yes	https://www.digi.cash/
Digital River	Yes	https://www.digitalriver.com/
Dwolla	Yes	https://www.dwolla.com/
Elavon	Yes	https://www.elavon.co.uk/index.html
Euronet Worldwide	No	http://www.euronetworldwide.com/
eWAY	Yes	https://eway.io/uk
First Data	Yes	https://www.firstdata.com/en_gb/home.html
Flooz	Yes	https://www.flooz.me/
Fortumo Online	Yes	https://fortumo.com/
GoCardless	Yes	https://gocardless.com/
Heartland Payment Systems	Yes	https://www.heartlandpaymentsystems.com/about-us
Ingenico	Yes	https://www.ingenico.com/
Klarna	Yes	https://www.klarna.com/uk/
ModusLink	Yes	https://www.moduslink.com/
MPay	No	http://www.mpay.al/en
Neteller	Yes	https://www.neteller.com/en/
Nochex	Yes	https://www.nochex.com/gb/
OFX	Yes	https://www.ofx.com/en-gb/
PagSeguro	Yes	https://pagseguro.uol.com.br/
PayPal	Yes	https://www.paypal.com/uk/home
Payoneer	Yes	https://www.payoneer.com/main/
Paymentwall	Yes	https://www.paymentwall.com/en/
PayPoint	Yes	https://www.paypoint.com/en-gb/consumers/store-locator
Paysbuy	Yes	https://www.paysbuy.com/
Paysafe Group	Yes	https://www.paysafe.com/en/
PayStand	No	http://www.paystand.com/
Payzone	Yes	https://www.payzone.co.uk/
Qiwi	Yes	https://qiwi.com/
Realex Payments	Yes	https://www.realexpayments.com/uk/
Red Dot Payment	No	http://reddotpayment.com/
Sage Group	Yes	https://www.sage.com/en-gb/
Skrill	Yes	https://www.skrill.com/en/
Stripe	Yes	https://stripe.com/gb
Square	Yes	https://squareup.com/gb
SWREG	Dual	http://faq.swreg.org/
Tencent	Yes	https://www.tencent.com/en-us/
TIMWE	No	http://www.timwe.com/
TransferWise	Yes	https://transferwise.com/
True Money	No	http://www.truemoney.com/
Trustly Online	Yes	https://trustly.com/en/
Verifone	No	http://www.verifone.co.uk/
WebMoney	Yes	https://www.wmtransfer.com/
WeChat Pay	Yes	https://pay.weixin.qq.com/index.php/public/wechatpay
WePay	Yes	https://go.wepay.com/
Wirecard	Yes	https://www.wirecard.com/
Worldpay	No	http://www.worldpay.com
Xendpay	Yes	https://xendpay.com/
Xsolla	Yes	https://www.xsolla.com/
Yandex.Money	Yes	https://money.yandex.ru/

Commentary

I was surprised to see that WorldWay is not secure by default.

I was also surprised to see that SWREG, the oldest of all the ecommerce companies in the world, is also not secure by default. Longevity has no bearings on the operating standards of a business. Interestingly the company that now owns SWREG, Digital River is secure by default.

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Guest posts

No, we’re not interested in having a guest post about finance related topics. These articles are about security, not finance.