Simplify Compatibility with Shopify Checkout Extensibility (2024)

In today’s rapidly evolving digital world, keeping up with the latest compliance regulations is difficult and confusing. The Payment Card Industry Data Security Standard (PCI DSS) version 4 introduces a new set of anti-skimming requirements that protect buyers from payment information fraud. This is an important and necessary step, but it also introduces a new and complex compliance hurdle for many sellers.

The good news is that Shopify makes it easier for sellers to comply with these regulations, allowing them to focus on growing and scaling their business. Merchants who have upgraded to checkout extension can rest assured that Shopify’s architecture makes PCI DSS v4 compliance simple and easy.

An ever-increasing maze of regulations

Regulations continue to expand, covering everything from privacy and data access to web accessibility and marketing transparency. The upcoming PCI DSS v4 changes, effective March 31, 2025, introduce new security standards to combat digital skimming, which occurs when violators steal customers’ credit card information during checkout. This attack is carried out using malicious code at the checkout that can steal payment data by adding a transparent layer that captures all payment information entered by customers without their knowledge.

In recent years, global cyberattacks using digital skimming have been steadily increasing and compromising sensitive customer data. In 2019, a digital skimming attack known as Magecart was active in 3,126 online stores. This attack followed two other attacks in the same year that targeted e-commerce platforms on university campuses and in hotels.

There are many important updates in the upcoming PCI DSS v4 release, but vendors should pay special attention to section 6.4.3. This section provides clear guidance on how to protect against digital skimming by managing the scripts loaded and executed during payment transactions.

To mitigate risk and comply with new privacy standards, merchants must inventory, authorize and verify the integrity of all first-party and third-party scripts that are executed as part of checkout. This includes identity verification, digital wallets, marketing consent and more. However, most sellers have limited visibility into these details, making it difficult to comply with the new regulations.

If a merchant doesn’t use Shopify, they will need to use client-side protection platforms and protection tools to manage and authorize their scripts, ensuring only approved scripts are loaded and executed. These tools alone can cost hundreds of dollars a month or more, and require significant time and training to manage. Often, these tools do not have a significant performance impact because they must be loaded before any other content on the page and must capture the browser-level work of loading and executing JavaScript.

Seamless compatibility with transaction extensibility

Shopify’s best-converting checkout is designed to be resistant to security threats thanks to its airtight architecture. It is a managed and secure runtime designed to help you stay compliant and ensure that all aspects of data protection are up to date with the latest standards.

Shopify’s architecture ensures that only approved, trusted code is run during the checkout process, and all third-party scripts are safely isolated or sandboxed. This prevents unauthorized scripts from running, thus protecting against data theft or other malicious activities that could compromise confidential information.

Learn how Shopify supports a High-performance, PCI DSS v4 compliant sandboxed transaction execution from Outstanding Engineer Ilya Grigorik.

For merchants using checkout extensions, upgrading to PCI DSS v4 will be seamless during checkout and no additional work will be required. The platform will manage these new security standards, allowing sellers to focus on growing their business without having to worry about compliance and data security issues. This proactive approach by Shopify gives sellers peace of mind knowing that their checkout is reliable and protected.

Go to Checkout Extensibility

It’s critical to protect your online store from emerging threats by upgrading to Checkout Extensibility, a new checkout framework that’s more secure, efficient, upgradable and customizable via apps. The update may help ensure your checkout is PCI DSS v4 compliant.

Important dates are approaching that may require your attention:

• August 13, 2024: Checkout.liquid customizations on the Info, Shipping, and Checkout Payments pages will not be supported and will not be editable. Learn more about the consequences of missing this August 13, 2024 deadline.

• March 31, 2025: All future PCI DSS v4.0 requirements are mandatory.

• August 28, 2025: Checkout.liquid customizations and apps using script tags and additional scripts for the Thank You and Order Status pages will be disabled. Shopify Scripts will continue to work with checkout extensibility, including Shopify features, until this date.

To start the upgrade process and ensure a smooth transition, visit our Checkout Extension Center.