To use CustomerCreditCard API, do we need to have any compliance?

ravisingh
New Member
6 0 0

Hi everyone,

Our customer's are on the mobile app that we're developing.

We want to add customer's payment method to their vault, for which we're using the following API, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07

Can anyone please confirm if there is any need to have any kind of compliance if we're going to use this API?

Thank you

0 Likes
Bunty
Shopify Partner
119 31 72

I have never used it but looking at the definition and knowing what I know about PCI compliance, I would say no as the card number you receive is masked.

But I am no expert in this domain.

Tech Expert at Frankie - Personalizing the Shopping experience.
Frankie - empowering merchants in 206 Countries and 31 Currencies.
0 Likes
ravisingh
New Member
6 0 0

Thanks @Bunty for the reply.

Actually this API is to add a customer's credit card to vault is this, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07

It requires you to send the actual card details in the Shopify API request.

0 Likes
Bunty
Shopify Partner
119 31 72

Right, sorry I misread. So that stores the credit card information in Shopify vault (Shopify is PCI-compliant). The card details is secured by SSL in transit to Shopify and I assume you will not store it on your servers, you will just use the session Id (tokenisation of sorts) to process payment. Still looks like you will comply.

Tech Expert at Frankie - Personalizing the Shopping experience.
Frankie - empowering merchants in 206 Countries and 31 Currencies.
0 Likes
ravisingh
New Member
6 0 0

Thanks @Bunty 

That is what I thought. But as per some references online, PCI compliance is required even if we're transmitting the card details. For example, https://stripe.com/in/guides/pci-compliance#overview-of-pci-data-security-standard-pci-dss

But since Shopify has the API for this for use, it may not be required. 

0 Likes