To use CustomerCreditCard API, do we need to have any compliance?

ravisingh
New Member
6 0 0

Hi everyone,

Our customer's are on the mobile app that we're developing.

We want to add customer's payment method to their vault, for which we're using the following API, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07

Can anyone please confirm if there is any need to have any kind of compliance if we're going to use this API?

Thank you

0 Likes
Bunty
Pathfinder
118 31 72

I have never used it but looking at the definition and knowing what I know about PCI compliance, I would say no as the card number you receive is masked.

But I am no expert in this domain.

0 Likes
ravisingh
New Member
6 0 0

Thanks @Bunty for the reply.

Actually this API is to add a customer's credit card to vault is this, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07

It requires you to send the actual card details in the Shopify API request.

0 Likes
Bunty
Pathfinder
118 31 72

Right, sorry I misread. So that stores the credit card information in Shopify vault (Shopify is PCI-compliant). The card details is secured by SSL in transit to Shopify and I assume you will not store it on your servers, you will just use the session Id (tokenisation of sorts) to process payment. Still looks like you will comply.

0 Likes
ravisingh
New Member
6 0 0

Thanks @Bunty 

That is what I thought. But as per some references online, PCI compliance is required even if we're transmitting the card details. For example, https://stripe.com/in/guides/pci-compliance#overview-of-pci-data-security-standard-pci-dss

But since Shopify has the API for this for use, it may not be required. 

0 Likes