Q: Is Shopify secure?


To make things simple, we’ll answer this question in two parts:

1. Shopify Customer Security

Shopify provides a secure shopping experience for its merchants’ customers by keeping their security systems up to date with industry best practices.

Payment Card Industry Data Security Standard (PCI DSS) is an information security standard that organizations must adhere to when handling credit card and debit card information. The Payment Card Industry Security Standards Council created this standard to protect cardholder data used for online payments.

Shopify is certified Level 1 PCI DSS compliant, meeting all six categories of PCI standards:

  • Maintain a secure network
  • Maintain a vulnerability management program
  • Regularly monitor and test networks
  • Protect cardholder data
  • Implement strong access control measures
  • Maintain an information security policy

This compliance is extended to all online stores powered by Shopify.

2. Shopify Account Security

The best way to approach data security for a cloud-based tool like Shopify is the Shared Responsibility Model:

The Shared Responsibility Model explains that keeping your Shopify store’s data secure is a shared responsibility between Shopify and you, the account owner. Shopify takes care of the software, infrastructure, and disaster recovery of the entire platform. You, as the merchant, are responsible for password security, permissions given to users, third-party apps, and backups of the data you put into your account.

Web app providers take extensive precautions to ensure their infrastructure won’t fail. They strive to maintain ~99.98% service availability. They all have a security team who is dedicated to the platform’s availability. This is one of the many benefits of using a managed service like Shopify.

For instance, in the unlikely event that a meteorite crushes one of Shopify’s data centers, the security team will recover the entire platform to the last backup. You might experience a few minutes of downtime, or even none at all depending on how fast they can react to the situation.

But their backups cannot be used to recover a single account back to a previous point in time or to recover just a selection of your data. 🤯

Shopify recommends using a CSV export of your data as one method of backups – which is something we absolutely DO NOT RECOMMEND. Find out why in our blog post about CSV files and your ecommerce store.

What the platforms have is a macro-backup of their entire system. This covers users for incidents on their end, like a data breach. What Rewind provides is an automatic micro-backup of just your account.

Rewind exists to protect the data that drives your business by monitoring and capturing any changes as they occur, allowing you to revert and restore any small mistakes or big disasters. This means you have the flexibility to restore your entire account to a previous point in time, or just a single item that was deleted (such as a product). Having a backup with Rewind is a great way to secure your Shopify store data. Think of it as an insurance policy for your digital data.

Human error, malicious attacks, and software glitches caused by 3rd party software are just some of the reasons why people lose store data. Using an automated backup service like Rewind for your Shopify store makes backups and recovery simple, and gives you peace of mind about the security of your business-critical data.

You don’t need to be an expert in backups, spend an afternoon each week managing your backups, or have your own IT team. It’s a set it and forget it type of process which helps you recover from all types of possible data disasters. That’s a pretty good deal if you ask us. 

Read more: The Best Shopify Apps for Store Security