API Protection for Retail and eCommerce

API Protection for Retail and eCommerce
APIs have long been an integral tool for retailers and e-tailers who use them to seamlessly tie multiple e-commerce related systems together. Database API calls deliver browsing or search results; inventory status via an API call is displayed with a click of a mouse; loading a digital shopping cart generates an API-based checkout routine, complete with credit card validation; and a purchase initiates an email and shipping confirmation via third-party APIs.
In the 2021 State of API Economy published by Google, the retail and hospitality industry ranked as the #1 consumer of APIs. No doubt that the pandemic related shutdown is a contributing factor to the volume of API calls observed, but the fact is retail organizations have embraced APIs and will continue to do so. The 2021 LexisNexis cost of retail fraud report showed that the digital and mobile usage patterns influenced by the adoption of [API driven] contactless payments and mobile apps have increased, even as merchants began welcoming physical customers. The flip side of increased usage is a matching uptick in security risks resulting in an expanded attack surface that potentially leads to data loss, fraud or business disruption by threat actors.

By the Numbers


Retail organizations generated 34% of 2.2T API calls in 2021.


True cost of addressing every 1$ in retail fraud, up from $3.13 prior to the pandemic.


Year-over-year increase in fraud related attacks against U.S.-based ecommerce retailers. Canadian e-commerce retailers saw a 52% increase.

API Protection is a Business Problem

Retail environments are lucrative targets for bad actors who target APIs directly, finding authentication coding errors that allow escalated privileges and using enumeration techniques to leverage it more broadly. Or they uncover APIs exposing sensitive data and then steal the payload, or they use automation to execute a shopping bot attack on a perfectly coded API. Attacks on your APIs can introduce a range of risks and they impact the entire business – not just the security team. Business impact examples include:


Whether it’s an automated ATO on a perfectly coded API, or a volumetric attack against an API coded without resource or rate limiting (OWASP API#4), the impact on infrastructure teams can cause costs to skyrocket. Worse yet, the web site and mobile app can become non-responsive, resulting in (real) user dissatisfaction.


Security is impacted by efforts to slow or stop API attacks, often struggling to separate real transactions from fake, or worse yet, blindsided by an unprotected shadow API.
Fraud Teams

Fraud Teams

Fraud teams are overwhelmed by unauthorized fraudulent activity that affects their business operations, brand, and customers. This enables fraudsters to constantly instigate new and creative campaigns to avoid detection and defraud users and businesses.  
Marketing, Sales, eCommerce

Marketing, Sales, eCommerce

Depending on the type of attack, these groups may be presented with inflated marketing statistics which turn into poor or misleading sales program decisions, missed revenue projections and damage to vendor relationships.
Customer Satisfaction, PR, Brand

Customer Satisfaction, PR, Brand

Accenture research has shown that 57% of consumers spend more on brands to which they are loyal, generating 12%-18% incremental revenue growth per year, motivating organizations with a retail presence to be singularly focused on customer retention. A bad experience due to a slow or unavailable website, or a compromised account drives customers elsewhere, resulting in a 5x increase in costs of acquiring a new customer.

Limitations of Traditional Defenses

Today’s security teams simply lack the visibility and defense capabilities they need to protect the ever-growing risk from APIs and other application connections. Many believe that compliance with PCI or SOC 2 and a “shift-left, DevOps” approach is sufficient to protect their APIs. The problem with these strategies is that they don’t have a way to “know the unknown”, meaning they aren’t able to look for all APIs and API vulnerabilities without knowing where to look. Even if all APIs are discovered and “known”, attackers can still leverage seemingly legitimate transactions in an attempt to steal data, or commit fraud. Traditional approaches that use WAFs or API gateways depend on easily evadable detection, lack the real-time ability to discern good from bad API activity and are reliant on static, least common denominator protection spread across multiple technology components.

Cequence by the Numbers



Savings achieved by blocking a high volume, API-based enumeration attack at Ulta Beauty.


Number of retail shopping accounts protected by Cequence during 1st half 2022.


The percentage of retail-based transactions observed during 1st half 2022 that are API-based.

The Journey to Unified API Protection for Retailers

Cequence Security believes in taking a holistic approach to defending against API-related data risk for retailers with a market-defining Unified API Protection solution that goes beyond API security approaches that focus solely on one aspect of the API protection journey. Cequence retail customers like Ulta Beauty are able to reduce costs by blocking bots that can negatively impact the business. In other cases, retail customers are using the UAP solution to maintain API contracts, to prevent shopping bots, or to stop pesky gift card fraud.
Cequence The Journey to Unified API Protection
Achieving true peace of mind for comprehensive API attack protection means traveling through six distinct steps associated with the Unified API Protection solution:
Discovery: Viewing an organization’s API attack surface from a threat actor perspective to know the unknown.
Inventory: Performing a comprehensive multi-cloud API inventory, including all existing APIs and connections.
Testing: Integrating API protection into development, which shifts API security left within the organization, so risky code doesn’t go live.
Compliance: Keeping APIs in compliance with specifications, standards and regulations such as OWASP and ensuring ongoing API governance.
Detection: Continuous scanning for threats, including subtle business logic abuse, fraud, and automated malicious activity from bots.
Prevention: Employing countermeasures such as alerts, real-time blocking, deception, without the need for added third-party data security tools.
Unified API Protection is different from fragmented or incomplete API security offerings because it’s a methodology designed to account for multiple types of risk, across every phase of the API protection lifecycle.

Why Cequence?

With the Cequence Unified API Protection solution, customers can continue to reap the competitive and business advantages of ubiquitous API connectivity. The Cequence solution results in attack futility, failure, and fatigue for even the most relentless of attackers. It significantly improves visibility and protection while reducing cost, minimizing fraud, business abuse, data losses and non-compliance.
Why Cequence

Get an Attacker’s View
into Your Organization