Skip to Content
02 July, 2026

PCI DSS and Shopify: What Australian Merchants Actually Need to Know

PCI DSS and Shopify: What Australian Merchants Actually Need to Know

Table of Content

A Melbourne electronics retailer rang us in a mild panic last winter. Their bank had sent a letter about PCI DSS compliance and asked them to complete a self assessment questionnaire. The owner had assumed Shopify took care of all that, and the letter felt like a trap. After half an hour of looking at his setup, the answer was reassuring: Shopify did handle the vast majority of his obligations, the right questionnaire for him was the shortest one available, and the form he needed to complete was about a page of yes and no answers. He had spent two weeks worrying about a problem that did not exist for his configuration. But the conversation also surfaced a real gap: a third party app he had installed was quietly broadening his PCI scope without him realising.

PCI DSS gets discussed a lot and understood rarely. This article explains what Australian Shopify merchants actually need to know, what Shopify takes care of for you, and the specific decisions that change your compliance obligations.

What PCI DSS is, in one paragraph

The Payment Card Industry Data Security Standard is a set of requirements set by the major card brands (Visa, Mastercard, American Express, Discover and JCB) that apply to anyone who stores, processes or transmits cardholder data. It covers network security, access control, monitoring, vulnerability management and a few dozen other areas. Failure to comply can lead to fines, higher processing fees, or losing the right to accept cards. In practice, the obligations scale with how much card data you touch.

What Shopify takes care of for you

Shopify itself is certified as a PCI DSS Level 1 service provider, which is the highest tier and the same level used by major payment processors. That certification covers the Shopify platform, the checkout, the storage of card data, and the transmission of that data to acquirers. For Australian merchants using the standard hosted Shopify checkout (which is the default and what almost everyone uses), the cardholder data never touches your servers, your theme code or your apps. Shopify receives it, tokenises it, and passes it through to your payment processor.

That is a big deal. It means your store falls into the simplest PCI category available, called SAQ A, which is a short self assessment questionnaire focused on a handful of administrative controls.

SAQ A versus SAQ A-EP

There are several Self Assessment Questionnaires under PCI DSS, but two are relevant to Shopify merchants.

  • SAQ A: applies when you fully outsource all cardholder data handling, including the page on which the cardholder enters their details. Standard Shopify checkout falls here. Your obligations are around vendor due diligence, account management, and protecting against site compromise (because if your site is compromised, an attacker could in theory redirect customers to a fake checkout).
  • SAQ A-EP: applies when your site directly affects the security of the payment page, typically because the checkout is technically hosted by Shopify but the form is embedded in your site, or because you control elements like the JavaScript that runs on the checkout page. This is a much longer questionnaire with more onerous controls.

For most Australian Shopify stores, you stay in SAQ A. The configurations that push you into SAQ A-EP are specific and usually intentional.

What pushes you into a bigger PCI scope

The Melbourne retailer’s app issue was a good example. He had installed a third party checkout extension that injected scripts into the order confirmation flow. The extension itself did not handle card data, but it ran in a context where card data was nearby, and that changed his answers to several SAQ questions. We worked with him to swap it for a different solution that ran outside the checkout flow.

The configurations that commonly broaden PCI scope on Shopify:

  • Custom checkouts built on Shopify Plus where you control the checkout HTML and JavaScript.
  • Apps that inject scripts into the checkout or order status pages, including pixel tracking and personalisation tools.
  • Headless storefronts where you build your own checkout flow on top of Shopify’s Storefront API.
  • Subscription apps that handle card details outside Shopify’s standard flow.
  • POS integrations that move card data through systems you operate.

None of these are inherently bad, but they change your compliance profile. Before you sign up for one, ask the vendor explicitly: does this app or service change my PCI scope?

Practical PCI obligations for an Australian Shopify merchant

Assuming standard hosted checkout, your real to do list is short.

  • Complete the SAQ A questionnaire once a year. Your acquiring bank will usually point you at a portal or provider that hosts it.
  • Use strong access controls on your Shopify admin (2FA, least privilege, audit logs). This is also a security best practice.
  • Vet third party apps and document the ones that touch order or customer data.
  • Patch your theme and any custom code. Shopify patches the platform.
  • Have an incident response plan and know who to call if a compromise is suspected.

None of this requires a dedicated compliance team. It requires a couple of hours a year and a calendar reminder.

Where PCI overlaps with the Australian Privacy Principles

Australian merchants have a second layer of obligation that PCI does not cover: the Australian Privacy Principles under the Privacy Act 1988. The Privacy Act applies if you have an annual turnover above $3 million, or if you are in certain categories regardless of turnover (health, credit reporting, contracted service providers for the Commonwealth, and so on). It also applies in spirit to most reputable businesses regardless of size.

Where PCI is about card data, APP is about all personal information: names, addresses, email, phone, purchase history. Many of the controls overlap. Strong access controls, limited data retention, incident response and vendor due diligence all serve both standards. The notable extra is the Notifiable Data Breaches scheme, which requires you to notify the Office of the Australian Information Commissioner and affected individuals if a breach is likely to cause serious harm.

The practical impact: build your security program around both at once, and you will cover both with the same work. We dig into the privacy side in more detail in our companion piece on Shopify privacy compliance.

Common myths we hear

  • “Shopify handles everything, I do not need to do anything.” Mostly true, but you still owe a yearly SAQ A and you still need access controls.
  • “PCI does not apply in Australia.” It does. The card brands enforce PCI globally, and your Australian acquiring bank will hold you to it.
  • “If I take payments through PayPal, I do not need PCI.” PayPal as the only payment method on a redirect flow reduces your scope, but Shopify Payments and other methods on the same store still attract obligations.
  • “PCI is optional.” It is contractually required by your acquiring bank. Non compliance can lead to fees, higher rates, or termination.

A 60 minute action plan

  • Confirm with your acquiring bank which SAQ applies to you, and complete it.
  • List every app installed on your store. Note which ones touch checkout, order confirmation, or customer data.
  • For any app that broadens your PCI scope, evaluate whether it is essential.
  • Document your access controls in a one page summary. Update it whenever staff change.
  • Add a calendar reminder to renew your SAQ next year.

Where Defyn fits in

PCI compliance for a standard Shopify store is not complicated, but it is easy to get wrong if you do not know which questions to ask. Our team helps Australian merchants confirm their PCI scope, audit their app footprint, and document the controls that satisfy both PCI DSS and the Australian Privacy Principles. We pair this with broader work like Shopify app audits and edge security through Cloudflare. Take a look at our services page or start a project to scope a compliance and security review. Our audit and support retainer keeps your compliance posture current as your store evolves.

Insights

The latest from our knowledge base