To use CustomerCreditCard API, do we need to have any compliance?

ravisingh
New Member
6 0 0

Hi everyone,

Our customer's are on the mobile app that we're developing.

We want to add customer's payment method to their vault, for which we're using the following API, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07

Can anyone please confirm if there is any need to have any kind of compliance if we're going to use this API?

Thank you

Replies 4 (4)
Bunty
Shopify Partner
133 39 80

I have never used it but looking at the definition and knowing what I know about PCI compliance, I would say no as the card number you receive is masked.

But I am no expert in this domain.

ravisingh
New Member
6 0 0

Thanks @Bunty for the reply.

Actually this API is to add a customer's credit card to vault is this, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07

It requires you to send the actual card details in the Shopify API request.

Bunty
Shopify Partner
133 39 80

Right, sorry I misread. So that stores the credit card information in Shopify vault (Shopify is PCI-compliant). The card details is secured by SSL in transit to Shopify and I assume you will not store it on your servers, you will just use the session Id (tokenisation of sorts) to process payment. Still looks like you will comply.

ravisingh
New Member
6 0 0

Thanks @Bunty 

That is what I thought. But as per some references online, PCI compliance is required even if we're transmitting the card details. For example, https://stripe.com/in/guides/pci-compliance#overview-of-pci-data-security-standard-pci-dss

But since Shopify has the API for this for use, it may not be required.