We are a payments processor and building a shopify app for payment processing, we are PCI compliant and I believe would need the shopify app to be hosted on a PCI certified site. Or does hosting the app not involve PCI information and that only happens on the shopify servers? Are the payment processing apps hosted on this platform?
To the limited degree I understand PCI compliance, this can only be assessed at the website level. A host that is PCI compliant isn’t enough, and it is perfectly possible to build a can of worms on top of a highly certified platform.
The main judgement is whether the host AND the site owner do not handle, or have access to, payments information. If for example only Stripe handles payment information, and the site owner only sees some personal information for the purposes of order fulfillment, that is a good step on the road to compliance.
However, if your company is a payments processor, you’re taking the role of Stripe in my example, and you’d probably be best referring to the compliance manager in your company. If you can involve an engineer with knowledge of Shopify too, that would be good; I am sure it can be configured in compliant and non-compliant ways.
I’m only asking because shopify recommends this platform for it’s apps. It really depends if the host would be processing card holder information. I’m pretty sure the answer is we have to host it ourselves, but I’m wondering if there are examples of other payment processors hosting the shopify app here. It’s possible since the actual transactions are happening on shopify that it’s ok, but unless I see some other examples, we’ll have to host it on Azure.
I was (and am) a bit confused by your post. If you (or rather your organisation) are the payments processor, then by definition Shopify would be making cloud calls to you (wherever your payment service is located). Whether that is on Fly or not is up to your technical experts.
But I wonder if by “payments processor” you mean an ecommerce shop on the internet (i.e. you accept payment cards and digital wallets, to be processed by a third party like Stripe or PayPal). That is not the usual meaning of the phrase; would you clarify?
Shopify allows different payment processors like Stripe, we are essentially like Stripe as they would pick our app plugin vs Stripe’s. I believe we can’t use fly.io hosting as fly would need to be PCI compliant. And the containers would need to be scanned for our PCI, even if it’s just hosting the app and now processing.
OK, so we are aligned on what a payment processor is, great. It still isn’t clear what bit you want to host on Fly.
If you want to build a shop selling, say, confectionery on Fly, you can probably go ahead. You’d make a plugin that is integrated into the ecommerce app, with the plugin probably also being hosted on Fly. Then the ecommerce transactions works in one of two ways:
- The frontend of the Fly app calls Shopify in the cloud, which in turn makes backend calls to the payment processor, which might sit in AWS or GCP etc
- The frontend of the Fly app renders an iframe on the customer’s browser, which points to the payment processor, which sits in AWS or GCP etc
This way you have hosted a shop in Fly without any payment details being handled on the Fly side.
Would you perhaps link to your publicly-available integration docs, so readers can advise you on which of the above mechanisms might apply to your systems?
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.