“Shopify is PCI compliant, so I’m covered, right?” is the most common PCI question online merchants ask. The honest answer is: partly. Shopify’s certification genuinely covers a large slice of the work. It just doesn’t cover your slice, and your bank only ever asks you about your slice.
What Shopify’s PCI certification actually covers
Shopify is unusually clear about its side. Its security page at shopify.com/security/pci-compliant states that Shopify is certified Level 1 PCI DSS compliant, that its compliance covers all six PCI goal areas (maintaining a secure network, protecting cardholder data, running a vulnerability management program, strong access control, regular monitoring and testing, and an information security policy), and that the certification extends by default to every store powered by Shopify.
There’s real proof behind that, and you can get it. Shopify’s Help Center page on compliance reports describes a PCI Attestation of Compliance that attests the results of Shopify’s annual PCI DSS assessment, as documented in its Report on Compliance, and is reissued after each annual assessment. Shopify also publishes a quarterly external ASV vulnerability scan attestation. You need to be signed in to a Shopify account to view the reports. When your acquiring bank or an enterprise customer asks for evidence that your platform is a validated provider, that document set is the answer.
So the platform slice is covered and documented: the infrastructure your storefront runs on, and the cardholder data Shopify handles on its systems. That matters more than it might sound, because outsourcing to validated providers is precisely what makes the shortest merchant questionnaires possible.
What “PCI compliant by default” doesn’t settle
PCI DSS applies to the business accepting the cards. That’s you. Your acquiring bank or the card brands assign your validation level from your annual card volume, and most small and mid-size merchants validate by completing an SAQ and signing an Attestation of Compliance for their own business. Shopify’s certification is a major input to that questionnaire. It is not the questionnaire.
Think of it as two attestations. Shopify signs one about Shopify’s systems. You sign one about your business: how you accept cards across every channel, what your staff can access, what happens to card numbers that arrive by phone or email, and whether anything you control ever stores them. No platform can sign that second document for you, because no platform can see your whole business.
If no one has asked you for an SAQ yet, that doesn’t mean nothing is owed. Validation requirements come from your acquirer and the card brands, and they can ask at any point. Knowing your answer before the question arrives is cheap. Reconstructing it under a deadline is not.
Find your SAQ free, in about 2 minutes.
Answer a few questions about how you accept cards and the free check computes your likely SAQ type on screen. No email to see it, no card, nothing to install.
How a Shopify setup commonly maps to an SAQ
Your SAQ follows how card data flows through systems you control, under eligibility rules the PCI Security Standards Council defines. Here’s how the common Shopify-merchant situations tend to line up. Every one of these is a starting point to confirm, not a verdict.
- Online-only, fully hosted checkout. If all cardholder-data functions are outsourced to PCI DSS validated third parties and your own systems never store, process, or transmit card data, that’s the exact pattern SAQ A was written for. This is why platform certification matters: SAQ A eligibility depends on your providers being validated.
- A card form on pages you control. If any part of your stack collects card details in a form on your own pages that sends the data straight to a processor, you’re at the boundary SAQ A-EP covers: your site can affect the security of the transaction even though it never receives card data itself.
- Selling in person too. Card-present hardware puts you in a different questionnaire family: standalone dial-out terminals point to SAQ B, standalone PTS-approved terminals on an IP connection to SAQ B-IP, and a PCI SSC-listed point-to-point encryption solution to SAQ P2PE.
- Phone orders. Staff keying one transaction at a time into an isolated, third-party-hosted virtual terminal points to SAQ C-VT. An internet-connected payment application points to SAQ C instead.
- More than one channel. Your environment can span more than one SAQ’s territory. Your acquiring bank tells you how to validate the whole picture.
Notice what’s doing the work in every line: not the platform logo, but where card data can travel and stop. Which brings us to the rule that overrides everything else.
The storage override that catches good merchants
If any system you control stores cardholder data electronically, the reduced SAQs generally come off the table and SAQ D applies. Not because you did something wrong, but because stored card data pulls the full requirement set into scope.
For Shopify merchants this rarely happens inside the platform. It happens around it: a spreadsheet of phone orders someone keeps “just in case,” a call recording system that captures customers reading card numbers aloud, a shared inbox where a customer emailed a card photo, an old export sitting in a downloads folder. The checkout can be pristine while a side channel quietly rewrites your questionnaire. Before you claim a reduced SAQ, walk the side channels.
The slice you run day to day
Even with checkout fully outsourced, some of the work stays yours, and Shopify says as much: its own security page points merchants to a PCI compliance checklist for maintaining compliance on their side. In practice, the merchant slice is the part only you can see: who on your team can reach your store admin and customer data, which third-party services you’ve wired into your sales flow, every other place your business accepts cards, and the habits that keep card numbers from being written down or stored outside the payment flow.
Exactly which requirements you answer for depends on which SAQ you’re eligible to complete. That’s worth getting right before you start closing gaps, because closing the wrong list wastes real money. A shorter SAQ covers fewer requirements; the point is to confirm the shortest one you legitimately qualify for, then do that work well.
How to confirm your SAQ
Two parties can settle it: your acquiring bank, which assigns your validation level and confirms which questionnaire it will accept, and a Qualified Security Assessor, if you want a professional determination. Our free check is the fast first step before either conversation: it computes your likely SAQ from how you accept cards and shows the result on screen. It’s indicative, not a QSA assessment, and it exists so you walk into the bank conversation knowing the shape of your answer.
Confirm your SAQ, then close the gaps.
The free check names your likely SAQ on screen in about two minutes. When you’re ready to act on it, the $1,495 PCI DSS v4.0 Readiness & Gap Analysis confirms your SAQ with full rationale, marks every one of the 12 PCI DSS v4.0 requirements covered, partial, or gap, and hands you a prioritized 30/60/90 remediation roadmap. Intake-based, PDF in your inbox within hours, backed by a 7-day pre-delivery money-back guarantee, and the $1,495 credits toward a first month of an Aegis AI subscription at ai4ciso.ai.
Frequently asked questions
Is Shopify PCI compliant?
Yes. Shopify’s security page states the platform is certified Level 1 PCI DSS compliant, that the certification covers all six PCI goal areas, and that it extends by default to every store on the platform. That covers Shopify’s slice: the platform infrastructure your store runs on.
Do I still need my own PCI validation if I sell on Shopify?
Generally yes. PCI DSS applies to the business accepting the cards, and validation is assigned by your acquiring bank or the card brands based on your annual card volume. Shopify’s certification is strong evidence about your platform, but the SAQ and the signed Attestation of Compliance for your own business are still yours to complete when your bank asks.
Which SAQ do Shopify merchants usually complete?
There is no single answer. An online-only store that fully outsources all cardholder-data functions to PCI DSS validated providers, with card entry hosted off the merchant’s systems, commonly points to SAQ A. In-person sales, phone orders, or any electronic storage of card data change the picture, up to SAQ D. Your acquiring bank or a QSA confirms it, and our free check gives an indicative answer in about two minutes.
How do I get proof of Shopify’s PCI compliance?
Shopify publishes compliance reports through its Help Center. Its PCI Attestation of Compliance attests the results of Shopify’s annual PCI DSS assessment and is reissued after each one, alongside a quarterly external ASV vulnerability scan attestation. You need to be signed in to a Shopify account to view them.
Does storing card numbers anywhere change my SAQ?
Yes. If any system you control stores cardholder data electronically, a spreadsheet of phone orders, a call recording, an export with card numbers, the reduced SAQs generally come off the table and SAQ D applies, whatever platform you sell on.
Is the free check a QSA assessment?
No. It computes your likely SAQ type from how you accept cards and shows the result on screen, no email needed to see it. It’s indicative, not an assessment. SAQ eligibility is defined by the PCI Security Standards Council and confirmed with your acquiring bank or a Qualified Security Assessor.
Related guides
This guide is general information, not a QSA assessment, a completed SAQ, an Attestation of Compliance, or legal advice. Platform statements are paraphrased from Shopify’s public documentation (shopify.com/security/pci-compliant and the Shopify Help Center compliance reports page) as of July 2026; check the source for current wording. Confirm your SAQ and obligations with your acquiring bank or a Qualified Security Assessor.