PCI Compliance - Build Your Store
Build my FREE store
Build my FREE store
Need a career? Build one.
Blog home page | Glossary | PCI Compliance

PCI Compliance

PCI Compliance refers to adhering to the Payment Card Industry Data Security Standard, known as PCI DSS. This is a set of security requirements that applies to any business that stores, processes, or transmits credit or debit card data.

PCI DSS is maintained by the PCI Security Standards Council, which was founded by Visa, Mastercard, American Express, Discover, and JCB. It is not a law. It is a contractual requirement enforced by card networks and payment processors, but the consequences of non-compliance are serious: fines, account suspension, or losing the ability to accept card payments entirely.

PCI Compliance in Detail

PCI DSS organizes sellers into four compliance levels based on annual transaction volume, each with different validation requirements.

  • Level 1. 6 million or more transactions per year. Requires an annual on-site audit by a Qualified Security Assessor (QSA).
  • Level 2. 1 million to 6 million transactions per year. Requires an annual Self-Assessment Questionnaire (SAQ) and quarterly network scans.
  • Level 3. 20,000 to 1 million e-commerce transactions per year. Requires an annual SAQ and quarterly network scans.
  • Level 4. Fewer than 20,000 e-commerce transactions per year. Requires an annual SAQ; quarterly scans are recommended.

Most new Shopify and dropshipping sellers fall under Level 3 or Level 4, meaning they validate compliance through a self-assessment questionnaire rather than a costly third-party audit. An SAQ is a set of yes/no questions covering how your store handles card data.

What PCI Compliance Covers

The 12 PCI DSS requirements cover six broad areas:

  • Securing your network. Using firewalls and not relying on default vendor passwords.
  • Protecting cardholder data. Encrypting stored card data and never saving raw card numbers or CVV codes (CVV is the 3 or 4-digit security code on a card).
  • Managing vulnerabilities. Keeping software updated and using anti-virus protection.
  • Controlling access. Restricting who can access card data and requiring two-factor authentication (2FA) on admin accounts.
  • Monitoring and testing. Logging access to card data and running regular vulnerability scans.
  • Maintaining a security policy. Having a written information security policy and reviewing it regularly.

These requirements create a layered security framework designed to prevent card data from being exposed or stolen. Shopify’s checkout is Level 1 PCI DSS certified, meaning Shopify handles card processing on audited, secure servers. However, sellers remain responsible for any third-party apps, marketing pixels, and custom scripts running on their storefront.

PCI Compliance vs. SSL Certificate

An SSL certificate (Secure Sockets Layer, a technology that encrypts data sent between a browser and a web server) is essential for any online store. However, it only addresses data while it is being transmitted. PCI compliance spans all 12 requirements across network security, access control, data storage, and more. Having an SSL certificate alone does not make a store PCI compliant.

Why Is PCI Compliance Important for eCommerce Sellers?

PCI compliance protects both the store and its customers. A data breach that exposes card numbers can destroy customer trust, lead to significant fines, and result in payment processing being suspended entirely.

For most Shopify sellers, the practical steps are: use a PCI-compliant payment processor like Shopify Payments or Stripe, never store raw card data yourself, complete the annual SAQ honestly, and audit third-party apps regularly to confirm nothing on your storefront is inadvertently capturing card information.

Frequently Asked Questions

Is Shopify PCI compliant?

Yes, Shopify is PCI compliant at the platform level. Shopify’s checkout and payment infrastructure is certified at PCI DSS Level 1, the highest level available. This means Shopify itself handles card data securely. Sellers are still responsible for the security of any third-party apps and custom scripts they add to their storefront.

Do I need to do anything to be PCI compliant on Shopify?

Yes, there are still steps sellers need to take even on Shopify. These include completing the annual Self-Assessment Questionnaire, enabling two-factor authentication on admin accounts, auditing and removing unused third-party apps, and never storing raw card numbers or CVV codes in spreadsheets or external files.

What happens if I am not PCI compliant?

If you are not PCI compliant, you risk fines from card networks passed on by your payment processor, suspension of your ability to process card payments, and financial liability for any fraud or data breaches that occur. For most small sellers, using a PCI-certified payment processor and following basic account security practices covers the most critical requirements.

Get a FREE AI-built Shopify
store in less than 2 minutes

Build my free store
No credit card. Yours forever.

Join over 1M+ happy customers