Viewing Shopify's compliance reports

To view all reports generated after assessing Shopify's compliance with information security standards, go to the Compliance Reports page in the Help Center. Learn more about security at Shopify here.

This page provides an overview of Shopify's eligible reports.

PCI reports

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for organizations that store, process, or transmit credit card information. The standard was created to increase controls around payment data to reduce fraud. PCI reports provide an organization's assesment against the PCI DSS Requirements laid out by the PCI Security Standards Council.

PCI reports
Report name Description
PCI Attestation of Compliance (AoC) The AOC is a form for Shopify to attest to the results of its annual PCI DSS compliance assessment, as documented in the Report on Compliance. Shopify will reissue this form after each annual PCI DSS compliance assessment. You'll need to log on to your Shopify account to view this report.
PCI External ASV Vulnerability Scan Attestation of Scan Compliance (AoSC) This is Shopify’s quarterly attestation of Approved Scanning Vendor (ASV) scan compliance. A new attestation is posted quarterly.

SOC reports

Service Organization Control (SOC) reports assess an organization’s controls in relation with privacy, processing integrity, security, availability, and confidentiality. SOC reports are created to meet the Trust Services Criteria (TSC) determined by the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA).

SOC reports
Report name Description
SOC 3

The SOC3 report contains Shopify's security and availability safeguards along with an external audit opinion of these safeguards. This report can be freely shared.

SOC 2, Type II The SOC 2, Type II report contains Shopify's security and availability safeguards along with an external audit opinion of these safeguards.
SOC 2 bridge letter This letter is made available by Shopify to bridge the gap between the reporting period of the end date of the SOC 2 report to when the bridge letter is issued.

View PCI and SOC reports here.

Ready to start selling with Shopify?

Try it free