In today’s rapidly evolving digital world, keeping up with the latest compliance regulations is challenging and confusing. The Payment Card Industry Data Security Standard (PCI DSS) Version 4 introduces a new set of anti-skimming requirements that protect buyers from payment data fraud. It’s an important and necessary step, but also one that introduces a new and complex compliance hurdle for many merchants.
The good news is that Shopify makes it easy for merchants to adhere to these regulations, enabling them to focus on expanding and scaling their businesses. Merchants who have upgraded to Checkout Extensibility can rest assured that Shopify’s architecture makes PCI DSS v4 compliance simple and easy.
The ever-growing maze of regulations
Regulations continue to expand covering everything from privacy and data access to web accessibility and marketing transparency. The upcoming PCI DSS v4 changes, which come into effect on March 31, 2025, introduce new security standards to combat digital skimming, which occurs when violators steal credit card information from customers during checkout. This attack is carried through malicious code within a checkout that can steal payment data by adding a transparent layer that captures all of the payment information being input by customers, without their knowing.
Global cyberattacks involving digital skimming have been steadily increasing in recent years and compromise sensitive customer data. In 2019, the digital skimming attack known as Magecart was actively operating on 3,126 online stores. This attack followed two other attacks that same year targeting college campus and hotel ecommerce platforms.
There are many important updates in the upcoming PCI DSS v4, but merchants should pay close attention to section 6.4.3. This section gives clear guidelines for protecting against digital skimming by managing scripts that are loaded and executed during payment transactions.
To mitigate risk and adhere to new privacy standards, merchants must take inventory, authorize, and verify the integrity of all first- and third-party scripts that execute within checkout. This includes identity verifications, digital wallets, marketing opt-ins, and more. Yet most merchants have limited visibility into these details, making it difficult to abide by these new regulations.
If a merchant doesn’t use Shopify, they would need to use client-side protection platforms and security guard tools to manage and authorize their scripts, ensuring that only approved scripts are loaded and executed. These tools alone can cost hundreds of dollars a month or more and require significant time and training to manage. Often, these tools do not have a meaningful performance impact since they need to be loaded before any other content on the page and must intercept the browser-level work of loading and executing JavaScript.
Hassle-free compliance with Checkout Extensibility
Shopify’s best-converting checkout is designed to be resilient against security threats with an airtight architecture. It is a managed and secure runtime engineered to help you handle compliance and ensure all aspects of data protection are in line with the latest standards.
Shopify’s architecture ensures that only approved, trusted code runs during the checkout process, with all third-party scripts being securely isolated, or “sandboxed.” This prevents any unauthorized script from running, thereby protecting against data theft or other harmful activities that could compromise sensitive information.
Find out how Shopify powers a high-performance, PCI DSS v4 compliant checkout with sandboxing from Distinguished Engineer, Ilya Grigorik.
For merchants on Checkout Extensibility, the upgrade to PCI DSS v4 will be seamless in checkout, with no additional work required. The platform will manage these new security standards, allowing merchants to focus on growing their business without worrying about compliance and data security issues. This proactive approach from Shopify provides merchants peace of mind, knowing that their checkout is reliable and protected.
Upgrade to Checkout Extensibility
It's crucial to protect your online store from emerging threats by upgrading to Checkout Extensibility, a new foundation for checkout that is more secure, performant, upgrade-safe, and customized using apps. Upgrading can help ensure that your checkout is PCI DSS v4 compliant.
Important dates are approaching that may require your attention:
- August 13, 2024: Checkout.liquid customizations for the Information, Shipping, and Payments pages of checkout will be unsupported and uneditable. Learn more about the impacts of missing this deadline on August 13, 2024.
- March 31, 2025: All future-dated requirements in the PCI DSS v4.0 are mandatory.
- August 28, 2025: Checkout.liquid customizations and apps using script tags and additional scripts for the Thank you and Order status pages will be turned off. Shopify Scripts will continue to work alongside Checkout Extensibility, including Shopify Functions, until this date.
To start your upgrade process and ensure a smooth transition, visit our Checkout Extensibility Hub.
