Retail and Point of Sale

Peter,

Thanks for the reply.  Reason for question is that SAQ types differ between e-com only and non-ecom.  We'd probably be Level 3 with SAQ-D, including brick & mortar, possibly using Shopify POS to run brick & mortar.  Everything I can find on shopify.com related to PCI (says is compliant with Level 1) seems to refer to the e-commerce solution but is silent on if the same compliance extends to Shopify POS used in a brick & mortar store.  

Also, if Shopify POS is Level 1 compliant, is that true even if I don't use Shopify Payments?  Just trying to figure it all out.

Thanks again . . .  t4vr

The information request shouldn't be out of left field really. Standard US retailers frequently need to demonstrate PCI compliance. This is related to the POS systems, the payment terminals, etc. Since Shopify e-com is "in the cloud" then that's one thing. But Shopify POS handles more data locally on the iPads and definitely on the payment terminals. If we were to adopt Shopify POS then our stakeholders and constituents would require we demonstrate PCI compliance. 

@TacosForever , @Gregarican 

Thanks for the context! To keep you in the loop, I've passed this feedback off to our internal teams to gather further details. Once I have additional information to share, I'll update you here. 

@TacosForever , @Gregarican 

Thank you for your patience! Based on the document that I reviewed, SAQ was mentioned once: 

Shopify supported eCommerce payment channels for their
merchant customers via the Cardsink application programming
interface (API) and the Shopify-hosted iframe solution (Hosted
Fields). The Cardsink API accepted payments from consumers
on behalf of merchants and from merchants. Consumers were
redirected to the iframe servers in the Shopify PCI environment
via web redirection servers. Sikich assessed these web
redirection servers against the requirements in SAQ A and,
additionally, against several other relevant requirements.

Outside of this, there weren't any other mentions of different SAQ types, nor was I able to dig up any other information that would directly answer the question you have. I do, however; have our PCI Compliance Certificate which I'd be happy to email to you at your request. 

Thanks for tracking this down. I would appreciate getting the certificate e-mailed to me so I can file away if we are launching Shopify POS in production. I'm still wondering if the PCI compliance only pertains to the Shopify e-com piece. Both it and Shopify POS are largely cloud-based, although there are localized elements of Shopify POS that differ --- integrated payment terminals being a prime example.

Thanks for the research.  It leaves me with more confidence that my original hunch was correct.  Shopify is good for the e-com side, but Shopify POS is at the same level of risk as any other POS option for brick & mortar.  Thanks.

@TacosForever 

Happy I could help shed some light on your question. Do let me know if there's anything else I can help with!

@Gregarican 

I've shipped you an email with a copy of the certificate. This area is a bit outside my level of expertise; however; I do hope the document can help answer a few of your unresolved questions. 

The link https://www.shopify.com/enterprise/pci-compliance-checklist#2 talks about practices to ensure PCI security. I am happy to do the below:

If your organization is at PCI compliance level 2, 3, or 4, your validation requirements are basically the same and include:

• Yearly self-assessment using the PCI SSC SAQ
• Quarterly network scans by an approved scanning vendor
• Attestation of compliance form and submitted documentation

But to whom do I submit all of the artifacts and documentation to?

Rich Mikelinich / rmikelinich@juilliard.edu

I have the same objective of the prior poster, My external auditor suggests we need to demonstrate PCI compliance and most card processors have given me very specific PCI requirements in the past.

We have constituents who require our PCI compliance, and I used these guys for the scanning and certification ---> https://sectigo.com/ssl-certificates-tls/pci-scanning. Once certified I just download the report and certificate, and forward it along!