Payment method encryption

The Shop Pay Wallet will return plain (untokenized) credit card information for use in processing payments. This will consist of:

This setup allows your integration to be used for placing orders with both Shopify and non-Shopify merchants on an external surface, since the information returned can be used within any payment processor to extract payment. But, for the same reason, it also presents a significant security risk.

Your requests to our API need to occur via an encrypted SSL/TLS HTTP connection, which ensures a layer of security. But, in order to further mitigate the risks of passing raw PANs over the wire, we have added an additional layer of encryption to protect this data. We use an integrated encryption process based on the Elliptic Curve Integrated Encryption Scheme (ECIES) to additionally encrypt the information required to process payment.

With this setup, we guarantee the following:

  • All requests between your systems and the Shop Pay Wallet are done using a secure connection
  • We'll only return encrypted payment information if we can verify your system's identity
  • We'll never return unencrypted payment information to you
  • Only your system that requested payment information from the Shop Pay Wallet will be able to decrypt the payload we provide

This guide explains how to work with this payment method encryption setup. This guide uses OpenSSL and Ruby in its examples.