Hi everyone,
Our customer’s are on the mobile app that we’re developing.
We want to add customer’s payment method to their vault, for which we’re using the following API, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07
Can anyone please confirm if there is any need to have any kind of compliance if we’re going to use this API?
Thank you
I have never used it but looking at the definition and knowing what I know about PCI compliance, I would say no as the card number you receive is masked.
But I am no expert in this domain.
Thanks @Bunty for the reply.
Actually this API is to add a customer’s credit card to vault is this, https://shopify.dev/api/admin/rest/reference/sales-channels/payment#create_payment_session-2021-07
It requires you to send the actual card details in the Shopify API request.
Right, sorry I misread. So that stores the credit card information in Shopify vault (Shopify is PCI-compliant). The card details is secured by SSL in transit to Shopify and I assume you will not store it on your servers, you will just use the session Id (tokenisation of sorts) to process payment. Still looks like you will comply.
Thanks @Bunty
That is what I thought. But as per some references online, PCI compliance is required even if we’re transmitting the card details. For example, https://stripe.com/in/guides/pci-compliance#overview-of-pci-data-security-standard-pci-dss
But since Shopify has the API for this for use, it may not be required.