How trust became Shopify’s biggest defense against security threats

Commerce can’t happen without trust. Whether you’re running a Shopify store or just checking out from one, there’s trust in every action. You trust your data is safe. You trust your transactions are secure. 

"Trust is the currency that we operate with," says Andrew Dunbar, chief information security officer at Shopify. 

In a bustling digital hub where millions of merchants and billions in transactions flow, Andrew and his world-class security team are watchful guardians. They make possible the smooth and secure movement of commerce, anticipating threats before they materialize. Their work keeps Shopify running as a safe, trusted engine powering global trade.

Fostering more trust on the internet

For the security team at Shopify, the mission extends beyond protecting data—they want to fundamentally change how trust in online commerce works. They make it possible for the digital mom-and-pops to be just as secure as the massive online retailers.

"One of the things Shopify has succeeded in doing is democratizing trust to many brands and many platforms at the same time," Andrew explains. "When trust is lowered, people will default to buying from marketplaces, for example, as opposed to directly supporting an independent brand—which is what we want."

This truth drives Shopify's entire security approach and empowers millions of independent businesses to thrive in a digital economy where trust is increasingly scarce. 

"We need to ensure that all of the millions of merchants on Shopify are trustworthy and have a trustworthy experience," says Andrew. "When people see the Shop Pay logo, they trust this is an independent brand they can buy from."

Building smarter, not just harder

The philosophy here isn't just about building higher walls—it's about building smarter ones. That means doing things differently. Case in point: While many companies fumble with basic password protection, Shopify’s security team has a vast digital library of billions of known breached username and password combinations. They use this database to prevent logins with those credentials. When one of these breached credentials is used, Shopify's systems spring into action, redirecting the user through a gauntlet of authentication measures that would make a Swiss bank blush. 

Another way Shopify builds smarter and harder? Its bug bounty program. In an era where data breaches make headlines with alarming regularity, Shopify is building relationships with researchers to expose vulnerabilities and strengthen our defenses. Our program—one of the largest in the world—has created a crowdsourced security team that spans the globe, surpassing payouts of $6 million total.

“A lot of companies use us as a role model when they're talking to their senior leadership about introducing bug bounties. That's been a big success for us,” says Andrew.

Redefining security in commerce

Rather than simply playing defense, the security team is reimagining how commerce security works at a fundamental level.

"Shopify has dramatically changed the landscape of security in commerce," Andrew says. "Through the existence of Shop as an account and through Shop Pay, we have millions of stores where people can shop online without typing in their credit card number—and the store a shopper is buying from never gets access to any of that card data."

A lot of attacks happen because hackers are running malicious code on an online store and intercept credit card numbers. Because of the way tokenization works within Shop Pay, that's never an issue.

He says, "The more we protect data, the safer the internet will be."

Guarding against invisible threats 

The threat landscape continues to evolve, with attackers finding new ways to compromise systems. When asked what keeps him up at night, Andrew doesn't hesitate.

"Over the past year there's been a significant growth in session hijacking across all web services," he reveals. 

When you log into a website, a cookie is placed on your browser to identify you. This allows every page you visit to recognize who you are. So instead of using stolen usernames and passwords—which is harder now with multi-factor authentication—hackers try to steal those cookies. 

“If a person can get into a merchant's computer with malware and steal the cookie, they have basically stolen their identity within that account."

Shopify has invested a lot over the past year in “risk-scoring” activity and getting people to reidentify themselves when they think a session has been hijacked.

As threats grow more sophisticated, Shopify is integrating artificial intelligence across the board to test better, ship faster, and to stay ahead.

"The value of AI is the productivity gains that you get from it," Andrew says. "AI allows us to parse data at scale, get actionable insights without friction, and generate new code. We're using AI to better protect merchants and buyers."

A new frontier for security 

What does all this mean for merchants? Simple: Shopify's security just works, freeing them to dedicate their energy to what they do best—building a successful business.

"Merchants should really be thinking about security as one of the reasons why they want to use Shopify," Andrew says. “It makes what used to be a daily concern, something they never have to think about."

For those who may not know where to start with security, Andrew offers straightforward advice: "The most important thing for everybody—no matter their size—is account security. Whenever you're signing up for an account, make sure you have multifactor authentication. That will stop a significant amount of threats."

He adds a practical tip: "Sticking to trusted vendors and keeping your own data retention minimal means that it will be harder for attackers to get sensitive data about you or your customers."

Shopify's unique philosophy has established our team as the gold standard in security. In the high-stakes game of global commerce, where one security slip can destroy trust overnight, Shopify isn't just playing the game well—it's rewriting the rules entirely.