PayProof · Shopify

PCI DSS payment security for Shopify sellers: do the rules apply to you?

Taking cards means PCI DSS obligations. The safe path: never touch raw card data, use a compliant processor, serve everything over HTTPS, never store card numbers, and complete your SAQ.

In force Platform & payments Shopify

How PCI DSS payment security works on Shopify

Shopify gives you the storefront and checkout, but legal compliance is on you, the merchant — Shopify's own terms make that explicit. The platform ships some tools (a cookie-banner and customer-privacy API, a hosted PCI-compliant checkout), but switching them on and configuring them correctly is your job, not Shopify's.

📦 On Shopify: Shopify gives you the storefront and checkout, but legal compliance is on you, the merchant — Shopify's own terms make that explicit. The platform ships some tools (a cookie-banner and customer-privacy API, a hosted PCI-compliant checkout), but switching them on and configuring them correctly is your job, not Shopify's. What Shopify handles: Shopify Payments and the hosted checkout cover much of your PCI DSS scope — but a self-hosted or third-party gateway, or custom checkout, pulls you back into scope.

Does this apply to you?

This rule applies to Shopify sellers who accept credit or debit card payments. Accept card payments? Check that card data never touches your server and your checkout is locked down. Not sure? The free checker tells you in about a minute — no signup.

The Shopify checklist

Whatever the platform handles, you still need to be able to answer "yes" to each of these — these are the points Shopify sellers most often get caught on:

How is card data handled?
Is the entire site served over HTTPS?
Do you avoid storing full card numbers / CVV?
Have you completed your annual SAQ (self-assessment)?
Is your checkout software & plugins kept updated?
Is admin access protected with strong auth / MFA?

What's at stake

⚠️ Exposure: card-network fines $5K–$100K/month (contractual) · Status: In force. On Shopify, that's on top of any account suspension for breaking platform policy.

Compare the penalty for every rule →

Common questions

Do I have to handle pCI DSS payment security myself on Shopify, or does Shopify cover it?

Shopify Payments and the hosted checkout cover much of your PCI DSS scope — but a self-hosted or third-party gateway, or custom checkout, pulls you back into scope.

Do I have to be PCI compliant?

If you accept card payments, yes — every merchant must meet PCI DSS. Using a hosted/tokenized processor (Stripe, PayPal, Shopify) keeps you in the lightest scope (SAQ A).

What's the safest setup for a small seller?

Let a compliant processor handle card data via a hosted or tokenized checkout so raw card numbers never hit your server, serve everything over HTTPS, and never store card numbers or CVV.

What is an SAQ?

A Self-Assessment Questionnaire — an annual attestation of your controls. The version (A / A-EP / D) depends on how your checkout integrates.

The source

RuleGoose checks this against the PCI DSS v4.0 standard. Read it yourself: PCI Security Standards Council →

Check your Shopify store against PCI DSS payment security — free.
Answer a few questions, see exactly where you're exposed, and draft the fix. No signup, runs in your browser. Run the PayProof checker →

or get one RuleGoose Score across every rule your Shopify store has to meet.

The full Shopify picture

PCI DSS payment security is one of several rules a Shopify store has to meet. See the full Shopify compliance checklist →, or read the platform-neutral PCI DSS payment security guide.

Same rule, other platforms

PCI DSS payment security on WooCommerce →

Informational only, not legal advice, and not affiliated with the PCI SSC or Shopify. Last reviewed 2026-06-30.