Skip to main content

Penetration Testing

Penetration testing for Indonesian retail and e-commerce

In short

How Indonesian online retailers test checkout, payment and wallet flows, public APIs, and customer accounts for exploitable weaknesses before an attacker does.

Penetration testing

An online retailer cannot wait for a fraud spike or a breach notice to find out whether its checkout, its public APIs, or its customer accounts are exploitable. The better time to find out is under a controlled test. PCI DSS makes part of this a standing obligation rather than a discretionary project: any merchant handling payment card data has to perform regular penetration testing of the cardholder data environment. This page covers what has to be in scope for a retailer or marketplace specifically, how testing adapts around checkout and loyalty systems, and what happens once the report lands. For how a penetration test works in general, see our penetration testing service page.

Why testing looks different for e-commerce

A retail attack surface is not one web application. It is a checkout, a set of payment and wallet integrations, a customer account system, and often a marketplace, each holding a different slice of what an attacker wants.

Checkout, payment and wallet flows

This is where card and digital-wallet data moves, and it draws the most targeted attacks. Web-skimming, the Magecart-style injection of malicious script into a checkout page, quietly copies card details as customers type them. A test checks the checkout and its payment integration for exactly this kind of tampering before it runs silently for months.

SQL injection, XSS and API abuse

SQL injection, cross-site scripting, and abuse of public APIs against checkout and loyalty databases are the most common attack patterns against retail, and technical debt often leaves them open for years. These are the findings a test is built to surface before a database is dumped.

Account takeover and credential stuffing

Attackers replay reused username and password pairs against loyalty logins to drain point balances or make fraudulent purchases. Loyalty and account systems frequently run weaker controls than the payment systems beside them, which makes them the softer target and a specific thing to test for.

Marketplace seller platforms

If you run a marketplace, the seller platform is its own attack surface: fake-seller campaigns, account takeover against seller logins, and abuse of the seller-facing APIs. Each is a route to fraud or to customer data that a storefront-only test would never reach.

There is no single retail-specific testing mandate the way OJK sets one for banks, but the obligation exists in substance. PCI DSS requires regular penetration testing of the cardholder data environment for any merchant handling card data, and UU PDP requires controllers to apply appropriate technical measures to protect customer personal data. A penetration test is one of the more direct ways to show both hold in practice rather than only on paper.

What we test and how we deliver it

Scoping has to account for every system that touches customer money or data, not just the public storefront.

E-commerce platform and checkoutPayment gateway and wallet integrationsPublic APIsCustomer account and identity systemsPOS systemsMarketplace seller platformCloud-hosted workloads
Scope against PCI DSS and your own risk profileTest the checkout, payment integrations, APIs, and account systemsValidate exploitability and business impact, from web-skimming to account takeoverDeliver a report with remediation priorities and a free retest

Every engagement includes a free retest once fixes are in, because a report that says "fixed" only means something if someone checks. Findings are categorised by severity and mapped to remediation timeframes you can defend, and the scope is set around your live trading windows so a test does not become the reason checkout goes down. If you are weighing a lighter-touch scan against a full test, our page on vulnerability assessment vs penetration testing sets out where each one fits, and our page on how long penetration testing takes covers what to expect on timing.

What the sector context means for retail

Retail and e-commerce sit under two regimes at once. PCI DSS governs how payment card data is handled and requires regular testing of the environment around it. UU PDP governs the customer personal data behind every account and order, expects appropriate technical measures, and sets a 72-hour breach notification clock. Large platforms also operate as electronic system operators under PP 71/2019, which carries its own security and reporting obligations. A test that is scoped to the checkout, the APIs, and the account systems is one action that speaks to all three, rather than treating each as a separate compliance exercise.

If your checkout, APIs, or loyalty systems have not been tested against what an attacker would actually try, our team can scope a test to what PCI DSS and your own risk profile require and set out a concrete next step.

References

  1. 1.PCI Security Standards Council, Payment Card Industry Data Security Standard
  2. 2.Republic of Indonesia, UU No. 27 Tahun 2022 (UU PDP)
  3. 3.Government of Indonesia, PP No. 71 Tahun 2019 on Electronic Systems and Transactions

Reviewed by Naren Krishnan, Cybersecurity Manager

Frequently asked questions

Yes. PCI DSS applies to any merchant that stores, processes, or transmits payment card data, and it includes a requirement to perform regular penetration testing of the cardholder data environment. That covers the checkout flow, the payment gateway integration, and the systems and network segments around them. A test is how you show the controls protecting card data actually hold, rather than assuming they do.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.