Do companies that use Shopify need to be PCI compliant?
In the age of side hustles and after-work entrepreneurship, it seems as if anyone and everyone can launch an eCommerce store in the blink of an eye. Sure, getting an online store up and running is far easier than it used to be, but are you covering all your bases for your online store when it comes to security?
Every business that accepts credit card payments needs to adhere to the Payment Card Industry Data Security Standard or PCI DSS. PCI compliance can be a pricey process that takes months of work and expertise to complete. The alternative, though, is to put your business at risk for hefty fees and fines from major credit card companies, not to mention costly data breaches.
Is it easier to be PCI compliant when you’re using Shopify, one of the most popular tools for eCommerce stores? Or do you still need to be PCI compliant if your store is powered by Shopify?
Is Shopify PCI compliant?
Fortunately, Shopify is PCI compliant. Shopify is a level 1 service provider, which means that they must adhere to the strictest standards of payment data security. That includes on-site audits every year and ongoing security monitoring for their expansive and complex system.
Do I still need to be PCI compliant if I use Shopify?
The good news is that if you use Shopify to host your eCommerce store, that store is already PCI compliant. This is the case because Shopify is managing your full payment processing and cardholder data environment, so your Shopify store falls under the umbrella of Shopify’s PCI compliance.
However, that doesn’t mean that every business using Shopify is fully PCI compliant. There are some circumstances in which you still need to become PCI compliant.
Using other eCommerce options in addition to Shopify
Shopify’s PCI compliance extends to all Shopify stores, but that doesn’t mean that it protects your entire business. It only protects transactions that take place within Shopify. If you have other eCommerce options, like a self-hosted site outside of Shopify where you’re accepting payments, that other site needs to reach PCI compliance on its own.
Pairing a Shopify site with a brick-and-mortar store
Many businesses are aiming for the best of both worlds by selling online with a Shopify eCommerce shop and in person with a brick-and-mortar store. As strong of a business strategy as that is, it’s important to note that Shopify’s PCI compliance covers your Shopify store, but it does not cover your credit card process in your brick-and-mortar store. The system you use for credit card processing in-store needs to be PCI compliant on its own.
How can I become PCI compliant while using Shopify?
If you accept payments in ways other than your Shopify site, it’s important to reach PCI compliance for those additional payment systems as soon as possible. While every business’s needs will vary, you can reach PCI compliance by following these steps:
- Identify your merchant level
In PCI compliance, there are four merchant levels your business may fall into, depending on the number of transactions you process. If you process six million transactions or more, your business is a level 1 merchant, for example. It’s important to determine your merchant level first because this will affect the steps you’ll take to verify your PCI compliance.
- Use Vanta PCI Compliance Software to Get a Starting Assessment
You may already meet some of the criteria for PCI compliance if you have taken steps toward data security. It’s crucial to find out where you currently stand and which PCI compliance requirements you already meet. You can do this quickly and efficiently by using Vanta PCI compliance software to scan your system.
- Review Your Vanta Report
When Vanta’s software has scanned your system, it will give you a detailed report of the PCI compliance criteria you already meet and, just as importantly, the requirements you don’t yet meet. You can view this report as a to-do list for reaching PCI compliance.
- Complete Any Remaining Requirements
Using your Vanta report as a guide, take each remaining requirement one by one and develop protocols, safeguard, and processes that meet these requirements. Once you have completed them all, your system should be PCI compliant.
- Confirm Your Compliance
At this point, you know that your system is compliant, but you need documentation. Run Vanta’s compliance software again to verify that you meet the requirements for PCI compliance. You will receive a report showing that you meet all these requirements.
- Complete your Documentation
This is the part where your merchant level comes into play because level 1 merchants need different types of documentation to verify their compliance. If your business is a level 1 merchant, you’ll need to hire a third-party auditor to perform an on-site audit for your system for PCI compliance. You’ll then complete an Attestation of Compliance (AOC) and submit it along with your auditor’s report and other supporting documentation.
If you are a level 2, 3, or 4 merchant, you don’t need an on-site audit. You only need to complete a Self-Assessment Questionnaire (SAQ). There are multiple types of SAQs depending on your business’s operations. You’ll submit your SAQ, AOC, and any other supporting document your SAQ requires to verify your PCI compliance.
Start Your PCI Compliance Journey
FEATURED VANTA RESOURCE
The ultimate guide to scaling your compliance program
Learn how to scale, manage, and optimize alongside your business goals.
PCI Compliance Selection Guide
Determine Your PCI Compliance Level
If your organization processes, stores, or transmits cardholder data, you must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global mandate created by major credit card companies. Compliance is mandatory for any business that accepts credit card payments.
When establishing strategies for implementing and maintaining PCI compliance, your organization needs to understand what constitutes a Merchant or Service Provider, and whether a Self Assessment Questionnaire (SAQ) or Report on Compliance (ROC) is most applicable to your business.
Answer a few short questions and we’ll help identify your compliance level.
Does your business offer services to customers who are interested in your level of PCI compliance?
Identify your PCI SAQ or ROC level
The PCI Security Standards Council has established the below criteria for Merchant and Service Provider validation. Use these descriptions to help determine the SAQ or ROC that best applies to your organization.
Good news! Vanta supports all of the following compliance levels:
A SAQ A is required for Merchants that do not require the physical presence of a credit card (like an eCommerce, mail, or telephone purchase). This means that the Merchant’s business has fully outsourced all cardholder data processing to PCI DSS compliant third party Service Providers, with no electronic storage, processing, or transmission of any cardholder data on the Merchant’s system or premises.
Get PCI DSS certified
A SAQ A-EP is similar to a SAQ A, but is a requirement for Merchants that don't receive cardholder data, but control how cardholder data is redirected to a PCI DSS validated third-party payment processor.
Learn more about eCommerce PCI
A SAQ D includes over 200 requirements and covers the entirety of PCI DSS compliance. If you are a Service Provider, a SAQ D is the only SAQ you’re eligible to complete.
Use our PCI checklist
A Report on Compliance (ROC) is an annual assessment that determines your organization’s ability to protect cardholder data. If you’re a Merchant that processes over six million transactions annually or a Service Provider that processes more than 300,000 transactions annually, your organization is responsible for both a ROC and an Attestation of Compliance (AOC).
Automate your ROC and AOC
Download this checklist for easy reference
Learn more about how Vanta can help. You can also find information on PCI compliance levels at the PCI Security Standards Council website or by contacting your payment processing partner.
The compliance news you need. Delivered securely to your inbox.