I am struggling to see from your docs whether what we want as a company is possible so I shall describe what I am looking for as a developer.
First off the rest of your API is great and gives full capabilities to create a headless commerce solution that suits our needs, unfortunately your Checkout API is lacking in two key areas from what I can see (please correct me if I am wrong).
When making a checkout complete request via stripe the only option seems to be using token gained via transmitting card details to our server to obtain a token.
This requires our company to be SAQ A-EP PCI level compliant. This seems like an odd choice for people trying to use the Shopify Storefront API, most companies are wanting to be SAQ A PCI compliant. With Stripe we use Stripe elements and payment intents API. So from our point of view I would expect the Storefront Checkout API to have a method to get the Intent secret and then confirm the payment by completing the checkout. Don't seem to be able to see this??
So if the above is not currently possible is it likely to be part of the API anytime soon?? If I could get an answer from Shopify Dev on this would be awesome.
Also how is it possible to integrate PayPal into the Storefront Checkout API??
As you have seen in the docs, there are a few ways to complete a checkout. The most common option is the Web URL / Checkout. This will spin up a fully PCI compliant Shopify checkout that handles the secure transaction for you. With this option, you will be able to use the payment gateway of your choice, including having PayPal as an option.
If you are looking at utilizing the API options for checkout, please remember you will need to go through the payment processing permissions request.
With the options, there are different levels of PCI scope available. For example, with Spreedly they have hosted fields you can launch in an IFrame with https://docs.spreedly.com/guides/adding-payment-methods/iframe/ to send the data.
Although not explicitly stated, you should be able to continue to use Stripe Elements as the hosted fields to create the token. Once received, you can pass that to Shopify through the mutation listed in the docs. This will avoid sending CC information to your server.
Vix | Developer Support @ Shopify
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Click Accept as Solution
Thanks for replying, Unfortunately the solutions you provide are not quite up to what I am looking for, while also not what people are looking for. PCI compliant Shopify checkout can only be customised in shopify plus. As medium to small size businesses we are unlikely to want to fork out your minimum $2000 price tag for the privilege of being able to have a customised checkout. While its good to note that you support stripe elements, it seems you only support the OLD api https://stripe.com/docs/payments/charges-api it gives the warnings of "The Charges API is an older payments API that does not handle bank requests for card authentication. Try our new payments APIs and integrations instead."
So yet again it seems like your API is not up to scratch to support the latest https://stripe.com/docs/payments/payment-intents API which is a real shame as your other GraphQL endpoints are perfect for making modern Headless commerce solutions. When is it likely that the Checkout API will support a SCA compliant version of stripe elements (one of the most common payment integrations used), can you provide an idea on when the API is likely to support this to help aid building modern Headless commerce solutions.
I am also looking for this answer, we are also building a Headless Store and we are missing clarity on how to reflect the payments done through Stripe Elements in an order in Shopify through the API.
Can you let us know if this is possible? We want to avoid the user having to pay through the Shopify weburl as this takes them out of the site experience.