From what I was able to find out, there is no difference between POS and Online stores when it comes to PCI compliance. Shopify's POS processes transactions through the same checkout system as every online store that is powered by Shopify.
Is there any specific reason you're looking to obtain this information?
Thanks for the reply. Reason for question is that SAQ types differ between e-com only and non-ecom. We'd probably be Level 3 with SAQ-D, including brick & mortar, possibly using Shopify POS to run brick & mortar. Everything I can find on shopify.com related to PCI (says is compliant with Level 1) seems to refer to the e-commerce solution but is silent on if the same compliance extends to Shopify POS used in a brick & mortar store.
Also, if Shopify POS is Level 1 compliant, is that true even if I don't use Shopify Payments? Just trying to figure it all out.
Thanks again . . . t4vr
The information request shouldn't be out of left field really. Standard US retailers frequently need to demonstrate PCI compliance. This is related to the POS systems, the payment terminals, etc. Since Shopify e-com is "in the cloud" then that's one thing. But Shopify POS handles more data locally on the iPads and definitely on the payment terminals. If we were to adopt Shopify POS then our stakeholders and constituents would require we demonstrate PCI compliance.
Thanks for the context! To keep you in the loop, I've passed this feedback off to our internal teams to gather further details. Once I have additional information to share, I'll update you here.
Thank you for your patience! Based on the document that I reviewed, SAQ was mentioned once:
Shopify supported eCommerce payment channels for their
merchant customers via the Cardsink application programming
interface (API) and the Shopify-hosted iframe solution (Hosted
Fields). The Cardsink API accepted payments from consumers
on behalf of merchants and from merchants. Consumers were
redirected to the iframe servers in the Shopify PCI environment
via web redirection servers. Sikich assessed these web
redirection servers against the requirements in SAQ A and,
additionally, against several other relevant requirements.
Outside of this, there weren't any other mentions of different SAQ types, nor was I able to dig up any other information that would directly answer the question you have. I do, however; have our PCI Compliance Certificate which I'd be happy to email to you at your request.
Thanks for tracking this down. I would appreciate getting the certificate e-mailed to me so I can file away if we are launching Shopify POS in production. I'm still wondering if the PCI compliance only pertains to the Shopify e-com piece. Both it and Shopify POS are largely cloud-based, although there are localized elements of Shopify POS that differ --- integrated payment terminals being a prime example.
Happy I could help shed some light on your question. Do let me know if there's anything else I can help with!
I've shipped you an email with a copy of the certificate. This area is a bit outside my level of expertise; however; I do hope the document can help answer a few of your unresolved questions.