Viewing Shopify's compliance reports

To view all reports generated after assessing Shopify's compliance with information security standards, go to the Compliance Reports page in the Help Center. Learn more about security at Shopify.

This page provides an overview of Shopify's reports.

Payment Card Industry (PCI) reports

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for organizations that store, process, or transmit credit card information. The standard was created to increase controls around payment data to reduce fraud. PCI reports provide an organization's assesment against the PCI DSS Requirements laid out by the PCI Security Standards Council.

PCI reports
Report nameDescription
PCI Attestation of Compliance (AoC)The AOC is a form for Shopify to attest to the results of its annual PCI DSS compliance assessment, as documented in the Report on Compliance. Shopify reissues this form after each annual PCI DSS compliance assessment. You'll need to log on to your Shopify account to view this report.
PCI External ASV Vulnerability Scan Attestation of Scan Compliance (AoSC)This is Shopify’s quarterly attestation of Approved Scanning Vendor (ASV) scan compliance. A new attestation is posted quarterly.

Service Organization Control (SOC) reports

Service Organization Control (SOC) reports assess an organization’s controls in relation to privacy, processing integrity, security, availability, and confidentiality. SOC reports are created to meet the Trust Services Criteria (TSC) determined by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA).

SOC reports
Report nameDescription
SOC 3

The SOC 3 report contains Shopify's security and availability safeguards along with an external audit opinion of these safeguards. This report can be freely shared.

SOC 2 Type 2The SOC 2 Type 2 report contains Shopify's security and availability safeguards along with an external audit opinion of these safeguards.
SOC 2 bridge letterThis letter is made available by Shopify to bridge the gap between the reporting period of the end date of the SOC 2 report to when the bridge letter is issued.
SOC 1 Type 2The SOC 1 Type 2 report contains Shopify's safeguards related to merchant financial reporting along with an external audit opinion of these safeguards.

Learn more about PCI and SOC reports.

Can’t find the answers you’re looking for? We’re here to help.