Salesforce B2C Commerce Cloud is designed with security built into every layer of the platform. It covers PCI DSS v4.0 compliance, end-to-end encryption, role-based access controls, and a Web Application Firewall delivered through its enterprise Content Delivery Network (eCDN). But there is a critical nuance that every retailer using the platform needs to understand from day one: Salesforce’s compliance does not automatically extend to your customizations, third-party integrations, or the code your team writes. This guide explains exactly what B2C Commerce Cloud protects, what you remain responsible for, and how the security landscape has shifted since 2024. 

Why Ecommerce Security Has Become More Urgent in 2026 

The threat environment facing online retailers is worse now than it was two years ago, by almost every measure. 

  • 80% of retailers experienced a cyberattack in the past year, according to VikingCloud’s Retail Cyber Threat Survey. 
  • The FBI’s Internet Crime Complaint Center reported $16 billion in cybercrime losses in 2024, a 33% jump from 2023. 
  • Retail security incidents grew from 725 to 837 between 2023 and 2024 (RH-ISAC), with confirmed breaches rising from 369 to 419. 
  • Ransomware attacks grew 37% in 2025, with ecommerce a primary target during high-volume periods like holidays and peak sales events. 
  • Nearly half of all retail breaches (46%) involve customer personally identifiable information: names, email addresses, payment details, and purchase histories. 
  • Third-party vendor vulnerabilities accounted for 30% of ecommerce data breaches last year, double the rate from the year before. 

The Merchant Risk Council’s 2026 report puts annual revenue loss to fraud globally at 3.2%, with a 62% rise in first-party misuse and a 57% increase in refund policy abuse. These aren’t abstract numbers. They represent real customer trust and real revenue. This context matters for understanding why the security architecture of any ecommerce platform deserves serious scrutiny. 

What Salesforce B2C Commerce Cloud Actually Protects 

B2C Commerce Cloud takes a layered approach to security. Here is what the platform provides out of the box. 

PCI DSS v4.0 Compliance 

Salesforce B2C Commerce Cloud is built to comply with the Payment Card Industry Data Security Standard (PCI DSS), now at version 4.0. This is the global standard for storing, processing, and transmitting cardholder data securely. The upgrade from PCI DSS v3.2.1 to v4.0 introduced stricter requirements around client-side script integrity, multi-factor authentication, and continuous monitoring, all of which B2C Commerce Cloud addresses through its eCDN and platform controls. 

The critical nuance: Salesforce holds its own PCI certification, but that certification does not cover your customizations, the third-party apps you install, or the code your developers write on top of the platform. Your compliance depends on what you do with payment data, how you store it, who has access, and whether you have a data retention policy in place. Salesforce publishes a PCI Responsibility Matrix that spells out which controls are Salesforce’s responsibility and which are yours. 

eCDN with Cloudflare Page Shield for PCI 4.0 

One of the most significant security additions to B2C Commerce Cloud in recent releases is the eCDN PCI 4.0 compliance tooling, which uses Cloudflare Page Shield to help merchants meet PCI DSS Requirements 6.4.3 and 11.6.1. These requirements specifically address client-side script integrity, which is the primary target of Magecart-style attacks. 

Page Shield monitors all scripts loaded by website visitors, alerts security teams when resource changes are detected or scripts are flagged as malicious, and adds a Content Security Policy (CSP) to collect information about every script running on your storefront and the third-party endpoints they connect to. 

The eCDN also includes a Web Application Firewall (WAF) that helps meet PCI DSS requirements 2.0, 3.0, and 6.6, and supports the latest TLS encryption versions for data in transit. 

SLAS: Shopper Login and API Security 

The Shopper Login and API Security (SLAS) service manages authentication tokens for shoppers and API clients. Salesforce has been progressively enhancing the JSON Web Tokens (JWTs) that SLAS returns, with updates in early 2026 adding stronger signature verification, new claims for CRM alignment, and improved identity validation. If your storefront uses custom JWT parsing logic, these updates require careful review to ensure your integration handles new or reordered claims without errors. 

SFRA Security Headers 

The Storefront Reference Architecture (SFRA) includes security headers that protect against two of the most common web vulnerabilities: cross-site scripting (XSS) and clickjacking. These headers control how browsers interact with your storefront and prevent malicious scripts from running in the context of a shopper’s session. 

Role-Based Access Control (RBAC) 

B2C Commerce Cloud provides granular access controls so you can define exactly what each user or team can see and do inside Business Manager and connected systems. Salesforce actively discourages shared accounts because they make it nearly impossible to trace user activity back to an individual. Individual accounts with defined roles reduce insider threat risk and create a clear audit trail. 

Data Encryption 

All sensitive data is encrypted both at rest and in transit using industry-standard encryption methods. Even if an unauthorized party were to access the underlying data, it would be unreadable without the correct decryption keys. 

Outbound Connection Allowlists and Encrypted Credentials 

Introduced in the B2C Commerce 25.9 release, outbound connection allowlists let merchants control exactly which external services their storefront can connect to. Combined with encrypted credential storage for those connections, this closes a common attack vector where compromised third-party integrations are used to exfiltrate data. 

Zone Configuration Security (V2 Zones) 

The B2C Commerce 26.2 release added migration tools for moving from V1 to V2 zone configurations, which offer enhanced security controls and are now the recommended architecture for production storefronts. 

The Threats Retailers Face in 2026 (and How B2C Commerce Cloud Addresses Them) 

Magecart and Digital Card Skimming 

Magecart attacks inject malicious JavaScript into checkout pages to copy payment card details as shoppers type them. Mastercard’s analysis of Recorded Future data found 10,500 Magecart-style compromises active in 2025, affecting over 23 million transactions. PCI DSS v4.0 Requirements 6.4.3 and 11.6.1 were written specifically to address this. B2C Commerce Cloud’s eCDN with Cloudflare Page Shield helps merchants meet both requirements by inventorying, authorizing, and continuously monitoring payment-page scripts. 

Account Takeover (ATO) 

Account takeover attacks target shopper accounts using stolen credentials from third-party data breaches. B2C Commerce Cloud’s SLAS service, combined with enforced individual account policies and RBAC, reduces the risk of both customer-facing and internal account takeover. For additional protection, merchants should implement multi-factor authentication for Business Manager users. 

Third-Party and Supply Chain Vulnerabilities 

Third-party vendor vulnerabilities accounted for 30% of ecommerce data breaches in 2025. Because B2C Commerce Cloud relies on an ecosystem of integrations and custom cartridges, each one is a potential attack surface. The OCAPI to SCAPI migration Salesforce is actively pushing is partly about this: the B2C Commerce API (SCAPI) is the more secure, modern API layer, and Salesforce now recommends using SCAPI for all new projects rather than OCAPI. 

Ransomware 

Ransomware attacks on retail grew 37% in 2025, often timed to coincide with peak trading periods. B2C Commerce Cloud’s infrastructure includes disaster recovery protocols and non-disruptive minor release deployments, but the merchant-side risk lies in connected systems, partner integrations, and internal networks. Defense in depth across the full stack, not just the storefront layer, is essential. 

AI-Powered Threats 

Threat actors are now using AI to scale phishing attacks, automate credential stuffing, and generate synthetic identities for fraud. The same AI capabilities that power Agentforce Shopping Agents on the commerce side are being weaponized on the attack side. Merchants running B2C Commerce Cloud should ensure their fraud detection tooling is keeping pace, since platform security alone cannot address behavioral fraud patterns. 

Agentforce for B2C Commerce: New Capabilities, New Security Considerations 

The 2026 releases of B2C Commerce Cloud have added significant Agentforce Shopping Agent capabilities directly into SFRA and PWA Kit storefronts. These agents help customers find products, manage orders, and receive support. However, they also introduce new security considerations. 

Agentic commerce creates new automated transaction flows. While 63% of merchants are investigating agentic commerce, security analysts need to account for the new verification challenges that arise when AI agents initiate or complete transactions on behalf of shoppers. Salesforce has extended its PCI Responsibility Matrix to cover Agentforce and Einstein Platform services, which is worth reviewing if you are deploying a Shopping Agent. 

Salesforce tracks revenue attributed to the Shopping Agent through B2C Commerce Reports and Dashboards, giving merchants visibility into agent-assisted conversion. From a security standpoint, this telemetry also provides a baseline for detecting anomalous agent activity that could signal a compromised session or a fraud pattern in agent-mediated flows. Read more about Agentforce for B2C Commerce and how Cloud Odyssey implements it securely. 

Security Best Practices for Salesforce B2C Commerce Cloud Merchants 

The platform provides the foundation. These practices determine how secure your actual deployment is. 

  • Run regular security audits of your custom cartridges and third-party integrations. Unpatched custom code is one of the most common breach entry points. 
  • Enforce individual user accounts and disable shared credentials in Business Manager. Shared accounts make breach attribution impossible. 
  • Configure eCDN Page Shield policies to match your specific storefront scripts. Default configurations are a starting point, not a finish line. 
  • Migrate from OCAPI to SCAPI for any new API development. Salesforce is phasing out OCAPI guidance in favor of the more secure SCAPI layer. 
  • Review the PCI Responsibility Matrix before going live and after any major platform or integration change. 
  • Vet third-party cartridges with the same rigor you would apply to any vendor with access to payment data. Each integration extends your attack surface. 
  • Implement outbound connection allowlists (available since the 25.9 release) to limit which external services your storefront can reach. 
  • Plan for incident response, not just prevention. Define your Recovery Time Objectives, segment administrative environments, and have a communication plan ready for the event of a breach. 

How Cloud Odyssey Helps with Salesforce B2C Commerce Cloud Security 

Security on B2C Commerce Cloud is not a one-time setup. It requires ongoing attention as the platform evolves, your integrations change, and the threat landscape shifts. Cloud Odyssey works with commerce teams to implement B2C Commerce Cloud securely from the start and keep it that way. 

  • PCI DSS v4.0 compliance reviews covering both the platform layer and your custom code 
  • eCDN and Cloudflare Page Shield configuration tailored to your specific storefront script inventory 
  • OCAPI to SCAPI migration planning and execution for secure API architecture 
  • Third-party integration security assessments before going live with new cartridges or partner connections 
  • Agentforce Shopping Agent implementation with security and compliance built into the architecture from day one 
  • Ongoing managed services for monitoring, patching, and responding to platform security updates 

See how we handled commerce security in practice in our Pothys Swarna Mahal digital commerce case study, or explore our Salesforce Commerce Cloud implementation services for more. 

Frequently Asked Questions 

1. Is Salesforce B2C Commerce Cloud PCI compliant? 

Salesforce B2C Commerce Cloud is built to comply with PCI DSS v4.0, the current version of the Payment Card Industry Data Security Standard. However, Salesforce’s own PCI certification does not automatically cover your customizations, third-party integrations, or the code your team writes on top of the platform. Merchants must independently manage their compliance for anything outside the core platform. 

2. What is the difference between B2C Commerce Cloud security and what merchants need to manage themselves? 

Salesforce is responsible for platform-level PCI compliance, infrastructure security, the eCDN and Web Application Firewall, SLAS authentication, encryption, and regular security updates. Merchants are responsible for the security of custom code, third-party cartridges, how payment data is stored and accessed, Business Manager user account management, and keeping integrations patched. Salesforce publishes a PCI Responsibility Matrix that outlines this shared model in detail. 

3. What is a Magecart attack and how does B2C Commerce Cloud protect against it? 

A Magecart attack injects malicious JavaScript into checkout pages to steal payment card details as shoppers type them. B2C Commerce Cloud addresses this through its eCDN integration with Cloudflare Page Shield, which inventories, authorizes, and continuously monitors all scripts on payment pages, meeting PCI DSS v4.0 Requirements 6.4.3 and 11.6.1. 

4. What is SLAS in Salesforce B2C Commerce Cloud? 

SLAS stands for Shopper Login and API Security. It is the service that manages authentication tokens for shoppers and API clients. In 2026, Salesforce added several enhancements to the JWTs returned by SLAS, including stronger signature verification and CRM alignment claims. Merchants using custom JWT parsing logic need to ensure their implementations handle new or reordered claims correctly. 

5. Does Agentforce change the security requirements for B2C Commerce Cloud? 

Yes. Agentforce Shopping Agents introduce automated transaction flows that create new verification and security considerations. Salesforce has extended its PCI Responsibility Matrix to cover Agentforce and Einstein Platform services. Merchants deploying Shopping Agents should review this matrix and ensure their implementation accounts for agent-mediated transactions. 

6. What is the OCAPI to SCAPI migration and why does it matter for security? 

OCAPI (Open Commerce API) is the older API layer for B2C Commerce Cloud. SCAPI (Salesforce Commerce API) is the newer, more secure replacement. Salesforce now recommends using SCAPI for all new projects. OCAPI is still available but is no longer the recommended path, and strict validation of OCAPI version numbers was added in the 26.2 release. Migrating to SCAPI reduces your exposure to older API vulnerabilities. 

Conclusion 

Salesforce B2C Commerce Cloud provides a solid, enterprise-grade security foundation: PCI DSS v4.0 compliance, eCDN with Cloudflare Page Shield, SLAS authentication, SFRA security headers, outbound connection allowlists, and robust access controls. The platform has become meaningfully more capable in this area since 2024, particularly with the additions in the 25.7, 25.9, 26.1, and 26.2 releases. 

But security on B2C Commerce Cloud is a shared responsibility. The platform protects what Salesforce builds. You protect what you build on top of it. In a year where 80% of retailers reported a cyberattack and third-party vulnerabilities doubled as a breach vector, understanding that boundary and acting on it is not optional. 

If you want to ensure your B2C Commerce Cloud deployment is as secure as the platform it runs on, get in touch with Cloud Odyssey. We help commerce teams close the gap between what Salesforce provides and what your specific implementation actually needs.