Do Companies That Use Shopify Need to Be PCI Compliant?

November 10, 2021

In the age of side hustles and after-work entrepreneurship, it seems as if anyone and everyone can launch an eCommerce store in the blink of an eye. Sure, getting an online store up and running is far easier than it used to be, but are you covering all your bases for your online store when it comes to security?


Every business that accepts credit card payments needs to adhere to the Payment Card Industry Data Security Standard or PCI DSS. PCI compliance can be a pricey process that takes months of work and expertise to complete. The alternative, though, is to put your business at risk for hefty fees and fines from major credit card companies, not to mention costly data breaches.


Is it easier to be PCI compliant when you’re using Shopify, one of the most popular tools for eCommerce stores? Or do you still need to be PCI compliant if your store is powered by Shopify?

Is Shopify PCI compliant?

Fortunately, Shopify is PCI compliant. Shopify is a level 1 service provider, which means that they must adhere to the strictest standards of payment data security. That includes on-site audits every year and ongoing security monitoring for their expansive and complex system.

Do I still need to be PCI compliant if I use Shopify?

The good news is that if you use Shopify to host your eCommerce store, that store is already PCI compliant. This is the case because Shopify is managing your full payment processing and cardholder data environment, so your Shopify store falls under the umbrella of Shopify’s PCI compliance.


However, that doesn’t mean that every business using Shopify is fully PCI compliant. There are some circumstances in which you still need to become PCI compliant.

Using other eCommerce options in addition to Shopify

Shopify’s PCI compliance extends to all Shopify stores, but that doesn’t mean that it protects your entire business. It only protects transactions that take place within Shopify. If you have other eCommerce options, like a self-hosted site outside of Shopify where you’re accepting payments, that other site needs to reach PCI compliance on its own.

Pairing a Shopify site with a brick-and-mortar store

Many businesses are aiming for the best of both worlds by selling online with a Shopify eCommerce shop and in person with a brick-and-mortar store. As strong of a business strategy as that is, it’s important to note that Shopify’s PCI compliance covers your Shopify store, but it does not cover your credit card process in your brick-and-mortar store. The system you use for credit card processing in-store needs to be PCI compliant on its own.

How can I become PCI compliant while using Shopify?

If you accept payments in ways other than your Shopify site, it’s important to reach PCI compliance for those additional payment systems as soon as possible. While every business’s needs will vary, you can reach PCI compliance by following these steps:


  1. Identify your merchant level

In PCI compliance, there are four merchant levels your business may fall into, depending on the number of transactions you process. If you process six million transactions or more, your business is a level 1 merchant, for example. It’s important to determine your merchant level first because this will affect the steps you’ll take to verify your PCI compliance.

  1. Use Vanta PCI Compliance Software to Get a Starting Assessment

You may already meet some of the criteria for PCI compliance if you have taken steps toward data security. It’s crucial to find out where you currently stand and which PCI compliance requirements you already meet. You can do this quickly and efficiently by using Vanta PCI compliance software to scan your system.

  1. Review Your Vanta Report

When Vanta’s software has scanned your system, it will give you a detailed report of the PCI compliance criteria you already meet and, just as importantly, the requirements you don’t yet meet. You can view this report as a to-do list for reaching PCI compliance.

  1. Complete Any Remaining Requirements

Using your Vanta report as a guide, take each remaining requirement one by one and develop protocols, safeguard, and processes that meet these requirements. Once you have completed them all, your system should be PCI compliant.

  1. Confirm Your Compliance

At this point, you know that your system is compliant, but you need documentation. Run Vanta’s compliance software again to verify that you meet the requirements for PCI compliance. You will receive a report showing that you meet all these requirements.

  1. Complete your Documentation

This is the part where your merchant level comes into play because level 1 merchants need different types of documentation to verify their compliance. If your business is a level 1 merchant, you’ll need to hire a third-party auditor to perform an on-site audit for your system for PCI compliance. You’ll then complete an Attestation of Compliance (AOC) and submit it along with your auditor’s report and other supporting documentation.


If you are a level 2, 3, or 4 merchant, you don’t need an on-site audit. You only need to complete a Self-Assessment Questionnaire (SAQ). There are multiple types of SAQs depending on your business’s operations. You’ll submit your SAQ, AOC, and any other supporting document your SAQ requires to verify your PCI compliance.


Start Your PCI Compliance Journey

Vanta PCI compliance software


Your PCI compliance checklist


Guide to eCommerce PCI



Share: