In today’s rapidly evolving digital world, keeping up with the latest compliance regulations is challenging and confusing. The Payment Card Industry Data Security Standard (PCI DSS) Version 4 introduces a new set of anti-skimming requirements that protect buyers from payment data fraud. It’s an important and necessary step, but also one that introduces a new and complex compliance hurdle for many merchants.
The good news is that Shopify makes it easy for merchants to adhere to these requirements, enabling them to focus on expanding and scaling their businesses. Merchants can rest assured that Shopify’s architecture makes PCI DSS v4 compliance simple and easy.
The ever-growing maze of regulations
Regulations continue to expand covering everything from privacy and data access to web accessibility and marketing transparency. The PCI DSS v4 changes, which come into effect on March 31, 2025, introduce new security standards to combat digital skimming, which occurs when attackers steal credit card information from customers during checkout. This attack is carried through malicious code within a checkout that can steal payment data by, for example, intercepting or replacing secure input fields with an alternative that can steal user data.
Global cyberattacks involving digital skimming have been steadily increasing in recent years and compromise sensitive customer data. In 2019, the digital skimming attack known as Magecart was actively operating on 3,126 online stores. This attack followed two other attacks that same year targeting college campuses and hotel ecommerce platforms.
There are many important updates in PCI DSS v4, but merchants should pay close attention to section 6.4.3, which imposes requirements aimed at combatting digital skimming through the effective management of scripts that are loaded and executed on all payment pages where cardholder data can be entered.
To mitigate risk and adhere to new privacy standards, merchants must inventory and maintain an up-to-date list of all authorized scripts, verify their integrity, and implement reporting and enforcement infrastructure to identify violations. Such scripts can include identity verifications, digital wallets, marketing opt-ins, and more. Yet most merchants have limited visibility into these details, making it difficult to abide by these new regulations.
If a merchant doesn’t use Shopify, they would need to use client-side protection platforms and security guard tools to manage and authorize their scripts, ensuring that only approved scripts are loaded and executed. These tools alone can cost hundreds of dollars a month or more and require significant time and training to manage. Often, these tools do not have a meaningful performance impact since they need to be loaded before any other content on the page and must intercept the browser-level work of loading and executing JavaScript.
Hassle-free compliance with Shopify’s Checkout
Shopify’s best-converting checkout is designed to be resilient against security threats with an airtight architecture. It is a managed and secure runtime engineered to help you handle compliance and ensure all aspects of data protection are in line with the latest standards.
Shopify’s architecture helps ensure that only approved, trusted code runs during the checkout process, with all third-party scripts being securely isolated, or “sandboxed.” This prevents any unauthorized script from running, thereby protecting against data theft or other harmful activities that could compromise sensitive information.
Find out how Shopify powers a high-performance, PCI DSS v4 compliant checkout with sandboxing from Distinguished Engineer, Ilya Grigorik.
For Shopify merchants, PCI DSS v4 requirements will be integrated seamlessly in checkout, with no additional work required. The platform will manage these new security standards, allowing merchants to focus on growing their business without worrying about compliance and data security issues. This proactive approach from Shopify provides merchants peace of mind, knowing that their checkout is reliable and protected.
Shopify Extensions: Unlocking customization without compromise
Despite rigid security requirements, Plus merchants can still create unique checkout experiences, and integrate necessary reporting and analytics, with Shopify Extensions throughout the entire purchasing journey. While traditional customization tools often introduce security vulnerabilities and performance issues, Shopify’s approach maintains:
Enterprise-grade security: With Shopify Extensions, all checkout customizations operate within a secure sandbox environment, ensuring PCI DSS Version 4 compliance remains uncompromised.
Lighting-fast performance: Shopify’s checkout is optimized for speed, enabling up to 40,000 checkouts per shop, per minute.
Future-proof infrastructure: Shopify Checkout is a managed and secure runtime engineered to help you handle compliance and ensure cardholder data is protected.
Upgrade-safe: Shopify’s architecture is adaptable, resilient and upgrade-safe—gain instant access to new features and never perform an upgrade again.
As global regulations evolve, merchants can rely on Shopify’s architecture to make compliance simple and easy.
FAQs on PCI DSS V4
When does PCI DSS Version 4.0.1 go into effect?
All requirements in PCI DSS Version 4.0.1 will be mandatory as of March 31, 2025.
Do Shopify merchants need to implement additional security measures to Shopify’s checkout to be compliant with PCI DSS Version 4?
No, Shopify's checkout infrastructure ensures compliance with PCI DSS Version 4 requirements with no additional merchant work required.
Can merchants still customize their checkout while maintaining compliance with PCI DSS Version 4?
Yes, Shopify Extensions in Checkout allow for customization while maintaining full compliance with PCI DSS Version 4.
What are the costs associated with achieving PCI DSS Version 4 compliance on Shopify?
There are no additional costs for PCI DSS Version 4 compliance on Shopify as it's built into the platform's infrastructure.