PCI compliance for brick & mortar

TacosForever
New Member
3 0 0

How does the Shopify POS support PCI compliance for a brick & mortar store?  Tried to find an answer but no luck so far.  Thanks.

Replies 12 (12)
Greg_Kujawa
Shopify Partner
1021 83 264

...awaiting a reply......awaiting a reply...

Trevor
Community Moderator
Community Moderator
3215 435 743

Hey, @TacosForever!

 

From what I was able to find out, there is no difference between POS and Online stores when it comes to PCI compliance. Shopify's POS processes transactions through the same checkout system as every online store that is powered by Shopify. 

 

Is there any specific reason you're looking to obtain this information?

Trevor | Community Moderator @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

TacosForever
New Member
3 0 0

Peter,

Thanks for the reply.  Reason for question is that SAQ types differ between e-com only and non-ecom.  We'd probably be Level 3 with SAQ-D, including brick & mortar, possibly using Shopify POS to run brick & mortar.  Everything I can find on shopify.com related to PCI (says is compliant with Level 1) seems to refer to the e-commerce solution but is silent on if the same compliance extends to Shopify POS used in a brick & mortar store.  

 

Also, if Shopify POS is Level 1 compliant, is that true even if I don't use Shopify Payments?  Just trying to figure it all out.

 

Thanks again . . .  t4vr

Greg_Kujawa
Shopify Partner
1021 83 264

The information request shouldn't be out of left field really. Standard US retailers frequently need to demonstrate PCI compliance. This is related to the POS systems, the payment terminals, etc. Since Shopify e-com is "in the cloud" then that's one thing. But Shopify POS handles more data locally on the iPads and definitely on the payment terminals. If we were to adopt Shopify POS then our stakeholders and constituents would require we demonstrate PCI compliance. 

Trevor
Community Moderator
Community Moderator
3215 435 743

@TacosForever , @Greg_Kujawa 

 

Thanks for the context! To keep you in the loop, I've passed this feedback off to our internal teams to gather further details. Once I have additional information to share, I'll update you here. 

Trevor | Community Moderator @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Trevor
Community Moderator
Community Moderator
3215 435 743

@TacosForever , @Greg_Kujawa 

 

Thank you for your patience! Based on the document that I reviewed, SAQ was mentioned once: 

 

Shopify supported eCommerce payment channels for their
merchant customers via the Cardsink application programming
interface (API) and the Shopify-hosted iframe solution (Hosted
Fields). The Cardsink API accepted payments from consumers
on behalf of merchants and from merchants. Consumers were
redirected to the iframe servers in the Shopify PCI environment
via web redirection servers. Sikich assessed these web
redirection servers against the requirements in SAQ A and,
additionally, against several other relevant requirements.

Outside of this, there weren't any other mentions of different SAQ types, nor was I able to dig up any other information that would directly answer the question you have. I do, however; have our PCI Compliance Certificate which I'd be happy to email to you at your request. 

 

 

Trevor | Community Moderator @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Greg_Kujawa
Shopify Partner
1021 83 264

Thanks for tracking this down. I would appreciate getting the certificate e-mailed to me so I can file away if we are launching Shopify POS in production. I'm still wondering if the PCI compliance only pertains to the Shopify e-com piece. Both it and Shopify POS are largely cloud-based, although there are localized elements of Shopify POS that differ --- integrated payment terminals being a prime example.

TacosForever
New Member
3 0 0

Thanks for the research.  It leaves me with more confidence that my original hunch was correct.  Shopify is good for the e-com side, but Shopify POS is at the same level of risk as any other POS option for brick & mortar.  Thanks.

Trevor
Community Moderator
Community Moderator
3215 435 743

@TacosForever 

 

Happy I could help shed some light on your question. Do let me know if there's anything else I can help with!

 

@Greg_Kujawa 

 

I've shipped you an email with a copy of the certificate. This area is a bit outside my level of expertise; however; I do hope the document can help answer a few of your unresolved questions. 

Trevor | Community Moderator @ Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

RichMikel
New Member
2 0 0

The link https://www.shopify.com/enterprise/pci-compliance-checklist#2 talks about practices to ensure PCI security. I am happy to do the below:

If your organization is at PCI compliance level 2, 3, or 4, your validation requirements are basically the same and include:

But to whom do I submit all of the artifacts and documentation to?

Rich Mikelinich / rmikelinich@juilliard.edu

RichMikel
New Member
2 0 0

I have the same objective of the prior poster, My external auditor suggests we need to demonstrate PCI compliance and most card processors have given me very specific PCI requirements in the past.

Greg_Kujawa
Shopify Partner
1021 83 264

We have constituents who require our PCI compliance, and I used these guys for the scanning and certification ---> https://sectigo.com/ssl-certificates-tls/pci-scanning. Once certified I just download the report and certificate, and forward it along!