Our customer's are on the mobile app that we're developing.
We want to add customer's payment method to their vault, for which we're using the following API, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07
Can anyone please confirm if there is any need to have any kind of compliance if we're going to use this API?
I have never used it but looking at the definition and knowing what I know about PCI compliance, I would say no as the card number you receive is masked.
But I am no expert in this domain.
Thanks @Bunty for the reply.
Actually this API is to add a customer's credit card to vault is this, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07
It requires you to send the actual card details in the Shopify API request.
Right, sorry I misread. So that stores the credit card information in Shopify vault (Shopify is PCI-compliant). The card details is secured by SSL in transit to Shopify and I assume you will not store it on your servers, you will just use the session Id (tokenisation of sorts) to process payment. Still looks like you will comply.
That is what I thought. But as per some references online, PCI compliance is required even if we're transmitting the card details. For example, https://stripe.com/in/guides/pci-compliance#overview-of-pci-data-security-standard-pci-dss
But since Shopify has the API for this for use, it may not be required.