Secure Online Shopping with Shopify

For online shoppers it’s important to trust the companies that get their business. So, it’s always been a special point of emphasis for Vitrazza that we’re based in Golden, CO, with shipping, inside sales and customer service right here in our own office. And when it comes to online checkout, we’ve partnered with one of the biggest and best companies in the industry to host our web store, Shopify Inc.

Based in Ottawa, Ontario, Shopify offers a proprietary e-commerce platform for online stores, as well as retail point-of-sale systems. The Shopify platform provides retailers a suite of services, including payments, marketing and customer engagement tools. The company has reported it has more than 2 million businesses using its platform.

Most important for shoppers is that your payment information is safe with end-to-end data encryption. Shopify Payments, which Vitrazza uses for credit card processing, is Level 1 PCI DSS and SOC2 Type II compliant. Want to know more? Read on!


What is PCI Compliance?

PCI compliance is the adherence to the security standards outlined by the PCI Security Standards Council in the Payment Card Industry Data Security Standard. These standards ensure companies that process, store, or transmit credit card information are taking the necessary steps to secure cardholder data and prevent data breaches, fraud, and unauthorized access. Cardholder data refers to payment details for debit, credit, and prepaid cards, as well as all associated personal information.

PCI compliance levels determine the specific requirements and validation procedures. Four levels of PCI compliance are laid out by the key members of the PCI DSS. Shopify qualifies for the highest level of PCI compliance, Level 1, required for companies who process over six million transactions per year and payment facilitators who process over 300,000 transactions per year.

12 requirements of PCI DSS Compliance

  1. Install and maintain a secure network
  2. Apply secure configurations to all system components
  3. Protect stored account data
  4. Protect cardholder data during transmission over public networks
  5. Protect systems and networks from malicious software
  6. Develop and maintain secure systems and software
  7. Restrict access to system and cardholder data on a need-to-know basis
  8. Identify users and authenticate their access
  9. Restrict physical access to cardholder data
  10. Monitor and log access to systems and cardholder data
  11. Regularly test networks and security systems
  12. Maintain and support information security with policies and programs


What is SOC 2 Type II Compliance?

Service Organization Control Type 2 is a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA). The purpose of SOC 2 is to ensure that third-party service providers store and process client data securely. The framework specifies criteria to uphold exacting standards of data security, based on five trust service principles: security, privacy, availability, confidentiality, and processing integrity.

SOC 2 principles explained

Security. Broadly speaking, the security principle enforces the protection of data and systems, against unauthorized access. To that end, you may need to implement some form of access control, e.g. using access control lists or identity management systems.

Confidentiality. Data qualifies as confidential if only a specific group of people should access it. This may include application source code, usernames and passwords, credit card information, or business plans, etc. To adhere to this principle, confidential data must be encrypted, both at rest and during transit. Moreover, while providing access to confidential data, adhere to the principle of least privilege, i.e. grant the bare-minimum permissions/rights that people need to do their jobs.

Availability. Systems should meet availability SLAs at all times. This requires building inherently fault-tolerant systems, which do not crumble under high load. It also requires organizations to invest in network monitoring systems and have disaster recovery plans in place.

Privacy. The collection, storage, processing, and disclosure of any personally identifiable information (PII) must adhere to the organization’s data usage and privacy policy, along with the conditions defined by the AICPA, in the Generally Accepted Privacy Principles (GAPP). PII is any information that can be used to uniquely identify an individual, e.g. name, age, phone number, credit card information, or social security number etc. An organization must enforce rigorous controls to protect PII from unauthorized access.

Processing integrity. All systems must always function as per design, devoid of any delays, vulnerabilities, errors, or bugs. Quality assurance and performance monitoring applications and procedures are crucial to achieve adherence to this principle.


What about an SSL Certificate?

An SSL certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection. SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and your web browser.

Companies and organizations need to add SSL certificates to their websites to secure online transactions and keep customer information private and secure. An SSL certificate helps to secure information such as:

  • Login credentials
  • Credit card transactions or bank account information
  • Personally identifiable information e.g., full name, address, date of birth.
  • Legal documents and contracts
  • Proprietary information

SSL works by ensuring that any data transferred between users and websites, or between two systems, remains impossible to read. It uses encryption algorithms to scramble data in transit, which prevents hackers from reading it as it is sent over the connection.

Moreover, an SSL certificate is required for a company to have an HTTPS web address (usually at checkout). HTTPS is the secure form of HTTP, which means that HTTPS websites have their traffic encrypted by SSL.

In short: SSL keeps internet connections secure and prevents criminals from reading or modifying information transferred between two systems. When you get to the Vitrazza checkout page you will see an icon next to the URL in the address bar, which means our SSL protects online transactions.

If you’ve gotten this far in our blog post, you now know a whole lot about how Vitrazza partners with Shopify to ensure secure online shopping! PCI compliance, SOC2 Type II compliance and SSL certificates are the built-in elements that do all the heavy lifting, enabling customers like you to trust the online checkout at Vitrazza