Viewing Shopify's compliance reports
To view all reports generated after assessing Shopify's compliance with information security standards, go to the Compliance Reports page in the Help Center. Learn more about security at Shopify here.
This page provides an overview of Shopify's reports.
PCI reports
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard for organizations that store, process, or transmit credit card information. The standard was created to increase controls around payment data to reduce fraud. PCI reports provide an organization's assesment against the PCI DSS Requirements laid out by the PCI Security Standards Council.
| Report name | Description |
|---|---|
| PCI Attestation of Compliance (AoC) | The AOC is a form for Shopify to attest to the results of its annual PCI DSS compliance assessment, as documented in the Report on Compliance. Shopify will reissue this form after each annual PCI DSS compliance assessment. You'll need to log on to your Shopify account to view this report. |
| PCI External ASV Vulnerability Scan Attestation of Scan Compliance (AoSC) | This is Shopify’s quarterly attestation of Approved Scanning Vendor (ASV) scan compliance. A new attestation is posted quarterly. |
SOC reports
Service Organization Control (SOC) reports assess an organization’s controls in relation to privacy, processing integrity, security, availability, and confidentiality. SOC reports are created to meet the Trust Services Criteria (TSC) determined by the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA).
| Report name | Description |
|---|---|
| SOC 3 |
The SOC 3 report contains Shopify's security and availability safeguards along with an external audit opinion of these safeguards. This report can be freely shared. |
| SOC 2 Type 2 | The SOC 2 Type 2 report contains Shopify's security and availability safeguards along with an external audit opinion of these safeguards. |
| SOC 2 bridge letter | This letter is made available by Shopify to bridge the gap between the reporting period of the end date of the SOC 2 report to when the bridge letter is issued. |
| SOC 1 Type 2 | The SOC 1 Type 2 report contains Shopify's safeguards related to merchant financial reporting along with an external audit opinion of these safeguards. |
View PCI and SOC reports here.