Does using Shopify make you PCI compliant?
No. Shopify is a PCI DSS Level 1 service provider, and that certification covers Shopify's own infrastructure, not your storefront. PCI DSS 4.0.1 requirements 6.4.3 and 11.6.1 govern the scripts running on your checkout page in the consumer browser, and those stay your responsibility regardless of which payment platform handles the transaction.
This distinction matters most for merchants who assume the platform does the compliance work for them. Shopify handles card data securely. It does not manage the scripts your apps, Pixels, and integrations load alongside it.
What Shopify actually covers (and what it does not)
Shopify is a PCI DSS Level 1 certified service provider. When a customer checks out through Shopify's hosted checkout, sensitive card data is captured, transmitted, and stored inside Shopify's environment. That is the scope reduction Shopify provides, and it is real.
What Shopify does not do is take ownership of every script running on the checkout page. Your store loads third-party app scripts, analytics tags, loyalty widgets, live chat, and review tools in the same browser session as the payment flow. Shopify certifies its own systems. It does not certify your checkout page.
| Concern | Shopify covers it | You still own it (6.4.3 / 11.6.1) |
|---|---|---|
| Card number entry and storage | Yes, inside Shopify's hosted checkout | No |
| Shopify's own PCI DSS attestation | Yes, as a Level 1 service provider | No |
| Scripts added by your Shopify apps | No | Yes, inventory and justify each one (6.4.3) |
| Shopify Pixels and analytics tags on checkout | No | Yes, each one is in scope (6.4.3) |
| Integrity of app and custom scripts | No | Yes, confirm no unauthorized change (6.4.3) |
| Tamper detection and alerting | No | Yes, deploy a mechanism (11.6.1) |
| Security-impacting HTTP headers | No | Yes, monitor for unauthorized change (11.6.1) |
| Your merchant SAQ and AoC | No | Yes, you self-assess and attest |
The split is clean. Shopify owns the card data and its own infrastructure. You own the browser environment on your checkout page. PCI DSS 4.0.1 made that second column mandatory.
What do requirements 6.4.3 and 11.6.1 actually require?
Both requirements address client-side attacks, where malicious code is injected into scripts that run in the customer's browser. They became mandatory on 31 March 2025 (PCI Security Standards Council, PCI DSS v4.0.1).
Requirement 6.4.3: manage your payment-page scripts. For every script loaded and executed on the payment page in the consumer browser, you must:
- Maintain an inventory of all scripts, with written justification for why each one is necessary.
- Authorize each script before it is added or changed.
- Confirm the integrity of each script by verifying it has not been modified without authorization.
Requirement 11.6.1: detect tampering and alert. You must deploy a change-detection and tamper-detection mechanism that:
- Alerts personnel to unauthorized modification of the HTTP headers and the scripts of the payment page, as received by the consumer browser.
- Evaluates the received page at least once every seven days, or at a frequency defined by your targeted risk analysis.
6.4.3 says know and authorize your scripts, and 11.6.1 says watch them and alert when they change. Shopify satisfies neither, because both cover what runs in the browser rather than where card data goes.
Do these requirements apply to Shopify merchants on SAQ A?
SAQ A is the shortest self-assessment, reserved for merchants who fully outsource cardholder data handling. Shopify's hosted checkout can make you SAQ A eligible, but only if your checkout page meets one condition.
The January 2025 SAQ A removed 6.4.3 and 11.6.1 from the questionnaire itself, then added a new eligibility criterion. To use SAQ A you must confirm that your payment page is not susceptible to attacks from scripts that could affect your e-commerce systems, and that every element delivered to the browser comes directly from a PCI DSS compliant processor (PCI Security Standards Council, 2025).
Most Shopify stores cannot make that confirmation cleanly. A store with a loyalty app, a live chat widget, a review tool, or even a single analytics tag loading on the checkout page has scripts originating outside Shopify's PCI-certified environment. That takes the store out of clean SAQ A eligibility. Merchants who fail the eligibility check must satisfy 6.4.3 and 11.6.1 directly. Confirm your current SAQ A version and its eligibility criteria against the PCI SSC Document Library before assuming you are out of scope.
Shopify-specific script risks on the checkout page
Shopify's app ecosystem and extensibility features add several script sources most merchants do not track manually.
Shopify Pixels. The Shopify Pixel API lets third-party analytics and marketing tools run on the checkout. Tags for analytics, advertising, and attribution configured through Shopify's pixel sandbox run in the consumer browser on the checkout page. Each one is in scope for 6.4.3 and must be inventoried and justified.
Checkout UI Extensions. Shopify Plus merchants can use Checkout Extensibility to add custom functionality to the checkout via React-based extensions. These extensions load in the consumer browser alongside card fields. Any script delivered through an extension is subject to the same inventory and integrity requirements.
Shopify app scripts. Apps installed from the Shopify App Store can inject JavaScript into themes and, in some configurations, into the checkout page. Review widgets, loyalty programs, and upsell tools are common examples. Without active monitoring, a compromised or updated app script can change your checkout page without your team noticing.
Theme JavaScript. Shopify themes can include JavaScript that loads on or alongside the checkout flow. If a theme file is compromised or an update introduces new third-party calls, 11.6.1 requires you to detect and alert on that change.
Why the checkout page is your attack surface
Shopify's hosted checkout protects card entry. Client-side attacks rarely target the card field directly. They target the page around it.
A compromised script can draw a fake form on top of the checkout, redirect a shopper mid-flow, or read name, email, address, and order data from the DOM before the payment completes. Modified security-impacting HTTP headers can enable those attacks. Those risks exist on any checkout page because they run in the customer's browser, not on your servers.
The 2024 Polyfill[.]io incident illustrates the exposure: a trusted third-party script embedded on more than 490,000 sites was compromised and began serving skimming code to checkout pages overnight (Sansec, 2024). A Shopify merchant with that script loading on their checkout page was exposed regardless of Shopify's PCI certification, because the attack ran in the browser.
To understand how these attacks bypass server-side controls, see our guide to client-side security.
How to satisfy 6.4.3 and 11.6.1 for your Shopify store
Manual compliance is possible: build a script inventory of every script on your checkout page, justify each one, hash them, and check the rendered checkout weekly for changes. For a store with a handful of stable scripts, that might hold. For a Shopify store where apps update scripts on their own release cycle and Pixels change with marketing campaigns, the manual approach fails quickly and produces evidence auditors distrust.
The operational answer is continuous, automated script monitoring built for the payment page. cside PCI Shield is designed to satisfy both requirements directly:
- Automated inventory and justification (6.4.3). cside discovers every script running on your Shopify checkout page, builds the inventory, and lets you record authorization and justification in one place with AI-assisted review.
- Real-time tamper detection (11.6.1). cside monitors scripts and security-impacting HTTP headers continuously and alerts on unauthorized change, rather than sampling weekly and hoping nothing slipped through.
- Audit-ready evidence. cside archives every script version with full history, so you hand a QSA forensic records instead of behavioral guesses.
cside PCI Shield works alongside Shopify Payments, Stripe, or any gateway your store uses. Shopify covers the card data side; cside covers the browser-side requirements Shopify leaves with you.
The bottom line
Shopify is a PCI DSS Level 1 service provider, and that is genuinely valuable for scope reduction. It does not make you fully PCI compliant, because requirements 6.4.3 and 11.6.1 hold you responsible for every script and header on your checkout page, and Shopify does not manage that surface.
Most Shopify stores have app scripts, Pixels, and integrations that load on the checkout page. Each one is in scope. Inventory them, authorize each one, and deploy real-time tamper detection. For the operational side, see cside PCI Shield and client-side security, or book a demo to walk through your Shopify checkout.








