Requirements for payments extensions

During a customer’s purchase, payments extensions are responsible for the following:

1. Securely collecting a customer’s payment information, adhering to applicable law and any PCI requirements or market regulations, including the secure storage of customer data.
2. Processing the payment according to parameters specified by Shopify.
3. Redirecting the customer to Shopify.
4. Settling transactions within five days.

Partners are responsible for monitoring and managing risk and fraud. If an unreasonably high percentage of a merchant's payments are fraudulent or high-risk, as determined in Shopify’s sole discretion, then Shopify may take action. Actions can include the following:

• Removing your payments app from Shopify's public list of payment gateways
• Restricting access to Shopify’s payments ecosystem
• Taking any other action deemed necessary

• Partners must have transparent, easy-to-understand pricing for merchants.
• Partners can't offer low promotional or introductory rates for a limited time to later increase the rate.
• Partners can't refer to any fee, expense, or other costs as Shopify fees on invoices to merchants.
• Partners must allow merchants to terminate their merchant agreements with a 7-day notice period without penalty, fine, or other consequence.

All Partners must have a signed revenue share agreement with Shopify. You must sign and submit the agreement before Shopify can approve a payments app to process real, live payments. Shopify provides the agreement to you as a part of the payments platform access request process.

Revenue share is calculated and applied on total payments volume (total GMV) processed by the payments app for all Shopify merchants with the app installed. Each invoice represents payments that took place from 00:00:00 UTC on the first day of the month to 23:59:59 UTC on the last day of the month. Shopify converts the compensation amounts daily to US dollars to limit foreign exchange risks between the parties to the agreement. Shopify uses xe.com to perform the conversion.

Shopify waives invoicing and collection of revenue share owed to Shopify until the first month that total transaction volume on your Payment Apps exceeds $150,000 USD. When this threshold is met, Shopify produces the invoice and sends it to the billing email provided, alongside bank details for payment.

Payments extensions aren't permitted to do any of the following:

• Use any Shopify APIs other than the Payments Apps API and mandatory webhooks, or require merchants to install additional apps alongside the payments extension.
• Store payment credentials for unapproved purposes. You can only use credentials for the original transaction or services approved by Shopify.
• Redistribute, share, transfer, sell unauthorized access to Shopify’s Payments Platform without Shopify’s approval. Access to Shopify’s payments ecosystem is strictly provided to the approved Payments Partner only.
• Create fake or fraudulent merchants, orders, or sales.
• Process payment methods that include, but aren't limited to, Apple Pay, Google Pay, Shop Pay, PayPal, and Alipay. Shopify has a direct connection with these providers that improves performance and checkout conversion for merchants.

To make choosing additional payment methods as straightforward as possible for merchants, you should adhere to certain rules when naming your payments extension:

• The name of the payments extension can't contain marketing text: For example, the name “World's Best Provider: Get 50 payment methods” isn't allowed. This is because merchants won't see the name of the payments extension until they have chosen the payment method they wish to add to their store.
• The name of the payments extension can't be used by Partners to gain a higher listing: There isn't a general alphabetized directory of payments extensions for merchants to navigate. Instead, merchants discover payments extensions using the payment methods they want to add.

You should make sure that the payment methods and locations offered are accurate because this is the only information that's used to surface the extension to merchants. If a name appears to have been created with the purpose of gaining a higher listing on an alphabetized list, then it won't be allowed.

Payments extensions need to have the following features:

• Merchants can charge, refund, and process test transactions.
• The extension complies with the regulatory requirements for Strong Customer Authentication in the countries where credit card payments are processed. Being compliant might include implementing 3-D Secure authentication.

• Idempotency: To provide a consistent customer experience, payments extensions must implement idempotency.
• Retry policy: In case of network errors, payments extensions must retry their requests according to the retry policy.
• Mutual TLS (mTLS): Authentication must be implemented to guarantee that traffic is secure and trusted in both directions between Shopify and your payments extension. This authentication allows your extension to confirm if an upstream request has originated from Shopify. Payments extensions must use the Shopify CA certificate for verification.
• HMAC verification: For payments extension installation, the hmac parameter is included in the redirect to your payments extension's URL. You need to verify the authenticity of these requests using the provided hmac. However, the HMAC verification process isn't applicable for payments operation requests that are initiated from Shopify to your payments extension, such as payment, refund, capture, and void. As a result, payments requests don't include an hmac parameter.
• Rate limiting: Your extensions's GraphQL requests are rate limited according to the rate limiting guidelines.
• API versioning: Partners must implement a supported version of Shopify's Payments Apps APIs. Partners can't use the unstable version of Shopify's Payments Apps APIs in production. Partners can configure the API version that their payments extension will use to receive requests from Shopify. Partners must use the same API version for sending GraphQL requests. API versions are updated in accordance with Shopify's general API versioning timelines.
• 3-D Secure: If you offer credit card payment methods in a country where 3-D Secure authentication is mandated, then you must support 3-D Secure authentication.
• Compliance webhooks: You need to implement compliance webhooks.
• Payments extension configuration change approvals: To provide a positive customer experience, your payments extension configuration changes must be approved by Shopify. For more information on payments extension changes and reviews, refer to the payments apps approval process.

• Payments extensions must, at a minimum, be operational and available on a 24-hour, 7 days a week basis at least 99.95% of the time in any measurement period.
• In the event of outages or issues, Partners must respond within 2 hours.
• Payments extensions must provide servicing support to all merchants.

• Line items, order ID, and checkout ID aren't available through the Payments Apps APIs.
• Payments extensions aren't visible nor installable in the Shopify App Store.
• As part of the payment processing flow, customers must enter their payment information on a page hosted by the payments developer.

• Learn about the payments app review process
• Learn how to Build a credit card payments extension