Payment processing is a core part of Shopify merchant workflows. Our stores run 24/7 selling to customers in a variety of currencies across the globe. We rely on and trust our Payments Partners to provide a secure environment for customers to purchase and help merchants handle settlement and payouts. If you don't meet the requirements, then Shopify can remove your extension from the public list of payment gateways, suspend access to the payments ecosystem, terminate participation in the payments ecosystem, or take any other action deemed necessary. ## Payment security During a customer’s purchase, payments extensions are responsible for the following: 1. Securely collecting a customer’s payment information, adhering to applicable law and any PCI requirements or market regulations, including the secure storage of customer data. 2. Processing the payment according to parameters specified by Shopify. 3. Redirecting the customer to Shopify. 4. Settling transactions within five days. Partners are responsible for monitoring and managing risk and fraud. If an unreasonably high percentage of a merchant's payments are fraudulent or high-risk, as determined in Shopify’s sole discretion, then Shopify may take action. Actions can include the following: - Removing your payments app from Shopify's public list of payment gateways - Restricting access to Shopify’s payments ecosystem - Taking any other action deemed necessary ## Transparent pricing and flexible merchant agreements - Partners must have transparent, easy-to-understand pricing for merchants. - Partners can't offer low promotional or introductory rates for a limited time to later increase the rate. - Partners can't refer to any fee, expense, or other costs as Shopify fees on invoices to merchants. - Partners must allow merchants to terminate their merchant agreements with a 7-day notice period without penalty, fine, or other consequence. ## Revenue share All Partners must have a signed revenue share agreement with Shopify. You must sign and submit the agreement before Shopify can approve a payments app to process real, live payments. Shopify provides the agreement to you as a part of the [payments platform access request process](/docs/apps/build/payments/payments-extension-review#payments-partner-application-review). Revenue share is calculated and applied on total payments volume (total GMV) processed by the payments app for all Shopify merchants with the app installed. Each invoice represents payments that took place from 00:00:00 UTC on the first day of the month to 23:59:59 UTC on the last day of the month. Shopify converts the compensation amounts daily to US dollars to limit foreign exchange risks between the parties to the agreement. Shopify uses [xe.com](https://www.xe.com/) to perform the conversion. Shopify waives invoicing and collection of revenue share owed to Shopify until the first month that total transaction volume on your Payment Apps exceeds $150,000 USD. When this threshold is met, Shopify produces the invoice and sends it to the billing email provided, alongside bank details for payment. ## Prohibited actions Payments extensions (including those using Checkout UI extensions) aren't permitted to do any of the following: - Use any [Shopify APIs](/docs/api) other than the Payments Apps API and [mandatory webhooks](/docs/apps/build/privacy-law-compliance), or require merchants to install additional apps alongside the payments extension. - Request scopes enabling network access or protected customer data access. This will result in the extension being rejected during review. - Store payment credentials for unapproved purposes. You can only use credentials for the original transaction or services approved by Shopify. - Redistribute, share, transfer, sell unauthorized access to Shopify’s Payments Platform without Shopify’s approval. Access to Shopify’s payments ecosystem is strictly provided to the approved Payments Partner only. - Create fake or fraudulent merchants, orders, or sales. - Process payment methods that include, but aren't limited to, Apple Pay, Google Pay, Shop Pay, PayPal, and Alipay. Shopify has a direct connection with these providers that improves performance and checkout conversion for merchants. ## Naming restrictions To make choosing [additional payment methods](https://help.shopify.com/manual/payments/additional-payment-methods) as straightforward as possible for merchants, you should adhere to certain rules when naming your payments extension: - **The name of the payments extension can't contain marketing text**: For example, the name “World's Best Provider: Get 50 payment methods” isn't allowed. This is because merchants won't see the name of the payments extension until they have chosen the payment method they wish to add to their store. - **The name of the payments extension can't be used by Partners to gain a higher listing**: There isn't a general alphabetized directory of payments extensions for merchants to navigate. Instead, merchants discover payments extensions using the payment methods they want to add. You should make sure that the payment methods and locations offered are accurate because this is the only information that's used to surface the extension to merchants. If a name appears to have been created with the purpose of gaining a higher listing on an alphabetized list, then it won't be allowed. > Note: > The name of the payments extension has minimal impact on whether or not merchants add it to their store. How a merchant discovers a payments extension is determined by the payment methods the extension offers and the locations where they payments methods are offered. ## Feature requirements Payments extensions need to have the following features: - Merchants can charge, refund, and process test transactions. - The extension complies with the regulatory requirements for Strong Customer Authentication in the countries where credit card payments are processed. Being compliant might include implementing 3-D Secure authentication. ## Technical requirements - **Idempotency:** To provide a consistent customer experience, payments extensions must implement idempotency. - **Retry policy:** In case of network errors, payments extensions must retry their requests according to the retry policy. - **Mutual TLS (mTLS):** Authentication must be implemented to guarantee that traffic is secure and trusted in both directions between Shopify and your payments extension. This authentication allows your extension to confirm if an upstream request has originated from Shopify. Payments extensions must use the Shopify CA certificate for verification. - **HMAC verification:** For [payments extension installation](/docs/apps/build/payments/onboard-a-merchant-payments-extension), the `hmac` parameter is included in the redirect to your payments extension's URL. You need to [verify](/docs/apps/build/authentication-authorization/access-tokens/authorization-code-grant#step-1-verify-the-installation-request) the authenticity of these requests using the provided `hmac`. However, the HMAC verification process isn't applicable for payments operation requests that are initiated from Shopify to your payments extension, such as `payment`, `refund`, `capture`, and `void`. As a result, payments requests don't include an `hmac` parameter. - **Rate limiting:** Your extensions's GraphQL requests are rate limited according to the [rate limiting guidelines](/docs/api/usage/rate-limits). - **API versioning:** Partners must implement a supported version of Shopify's Payments Apps APIs. Partners can't use the `unstable` version of Shopify's Payments Apps APIs in production. Partners can configure the API version that their payments extension will use to receive requests from Shopify. Partners must use the same API version for sending GraphQL requests. API versions are updated in accordance with Shopify's general [API versioning timelines](/docs/api/usage/versioning). - **3-D Secure:** If you offer credit card payment methods in a country where 3-D Secure authentication is mandated, then you must support 3-D Secure authentication. - **Compliance webhooks:** You need to implement [compliance webhooks](/docs/apps/build/privacy-law-compliance). - **Payments extension configuration change approvals:** To provide a positive customer experience, your [payments extension configuration changes](/docs/apps/payments/offsite/use-the-cli#create-a-payments-app-extension/manage-payments-app-extensions#step-2-configure-your-payments-app-extension-for-submission) must be approved by Shopify. For more information on payments extension changes and reviews, refer to the [payments apps approval process](/docs/apps/build/payments/payments-extension-review). ## Merchant experience - Payments extensions must, at a minimum, be operational and available on a 24-hour, 7 days a week basis at least 99.95% of the time in any measurement period. - In the event of outages or issues, Partners must respond within 2 hours. - Payments extensions must provide servicing support to all merchants. ## Limitations for payments extensions - Line items, order ID, and checkout ID aren't available through the Payments Apps APIs. - Payments extensions aren't visible nor installable in the Shopify App Store. - As part of the payment processing flow, customers must enter their payment information on a page hosted by the payments developer. ## Next steps - Learn about the [payments app review](/docs/apps/build/payments/payments-extension-review) process - Learn how to [Build a credit card payments extension](/docs/apps/build/payments/credit-card/use-the-cli)