Payments apps

1. The customer begins a payment or a refund.
2. The merchant redirects the customer to an app-hosted page to begin their payment or refund.
3. The payment or refund takes place on the payments app, which is hosted on the app-hosted page.
4. The app performs app-specific operations during the payment.
5. The app records the payment in Shopify admin.

• You've created an app in the Partner Dashboard or using Shopify CLI.
• Your app meets the following requirements:
  • Feature requirements
  • Technical requirements
  • Merchant experience requirements

For more information, refer to requirements for third-party payments apps.

If you don't meet the requirements, then Shopify can remove your app from the public list of payment gateways, suspend access to the payments ecosystem, terminate participation in the payments ecosystem, or take any other action deemed necessary.

Payments apps need to have the following features:

• Merchants can charge, refund, and process test transactions.
• The app complies with the regulatory requirements for Strong Customer Authentication in the countries where credit card payments are processed. Being compliant might include implementing 3D Secure authentication.

• Idempotency: To provide a consistent buyer experience, payments apps must implement idempotency.
• Retry policy: In case of network errors, payments apps must retry their requests according to the retry policy.
• Mutual TLS (mTLS): Authentication must be implemented to guarantee that traffic is secure and trusted in both directions between Shopify and your payments app. This authentication allows your app to confirm if an upstream request has originated from Shopify. Payments apps must use the Shopify CA certificate for verification.
• HMAC verification: For payments app installation, the hmac parameter is included in the redirect to your payments app URL. You need to verify the authenticity of these requests using the provided hmac. However, the HMAC verification process isn't applicable for payments operation requests that are initiated from Shopify to your payments app, such as payment, refund, capture, and void. As a result, payments requests, don't include an hmac parameter.
• Rate limiting: Your app's GraphQL requests are rate limited according to the rate limiting guidelines.
• API versioning: Partners must implement a supported version of Shopify's Payments Apps APIs. Partners can't use the unstable version of Shopify's Payments Apps APIs in production. Partners can configure the API version that their payments app will use to receive requests from Shopify. Partners must use the same API version for sending GraphQL requests. API versions are updated in accordance with Shopify's general API versioning timelines.
• 3-D Secure: If you offer credit card payment methods in a country where 3-D Secure authentication is mandated, then you must support 3-D Secure authentication.
• GDPR: You need to implement GDPR webhooks.
• Payments app extension configuration change approvals: To provide a positive buyer experience, your payments app extension configuration changes must be approved by Shopify. For more information on payments app extension changes and reviews, refer to the payments apps approval process.

• Payments apps must, at a minimum, be operational and available on a 24-hour, 7 days a week basis at least 99.95% of the time in any measurement period.
• In the event of outages or issues, Partners must respond within 2 hours.
• Payments apps must provide servicing support to all merchants.

Before a payments app can be approved on Shopify’s Payments Platform, three reviews are required:

• Payments Partner application review
• Payments app extension review
• Payments app review

1. The Partner applies to become a Payments Partner.

   Partners should take time to review the “Additional Terms Applicable to Payments Developers” section of the Shopify Partner Program Agreement. If you aren't a Shopify Partner yet, then you must sign up to be a Partner.

2. We grant the Partner access to build a payments app.

   If you've been approved to be a Payments Partner, then you'll be granted access to Shopify’s payments ecosystem. You'll need to sign a revenue share agreement, which we provide in an email when you're approved.

3. The Partner creates a new app in the Partner Dashboard or Shopify CLI.

1. The Partner creates and configures the payments app extension.

2. The Partner submits the payments app extension for review.

3. We review the payments app extension.

4. If the app extension is approved, then the Partner can now publish the app extension.

5. The Partner selects a distribution method for the app in the Partner Dashboard.

6. The Partner tests the payments app extension on a development store.

If we reject your payments app extension, then we'll send you an email indicating next steps. Make sure that you check the business email for your Partner account, as well as the email address included in your Payments Platform application. After making the required changes, you can resubmit your app extension.

Before this step of the review process, you must sign the payments app revenue share agreement. The link to the agreement is included in your Payments Platform application acceptance email. If you're unable to locate the agreement, then contact Partner Support. If you submit your app for review before you sign and submit the revenue share agreement, then your app will be rejected.

1. The Partner fills out the app listing and submits the payment app for review. For more information, refer to the app review process.

2. We review the app.

3. If we approve the app, then the Partner can launch the app.

4. Optional: If the app needs to be changed before it can be approved, then the Partner reconfigures the payments app extension and submits a new version of the payments app extension for approval.

A payments apps can go through four states. Each of these states defines by whom and how your app can be installed, and the general visibility of the app for merchants. The states are the following:

• Development: The default state of a payments app is Development, after your first extension version is approved and published. The payments app can then be installed on dev stores for testing purposes.
• Hidden: The payment app enters Hidden state after the app is approved and published by the app review team. The payments app isn't discoverable to merchants through the admin, but can now be installed by merchants by sharing the installation URL available in your dashboard.
• Generally Available: The payments app enters Generally Available state by request if it meets certain criteria, such as being used by at least 50 Shopify stores and has processed over 1,000,000 USD. The payments app is now discoverable from the store admin as an alternative payment provider for all merchants in supported countries. It will also appear in the public payments brochure.
• Not Installable: If the payments app fails to meet the minimum product requirements, it will be put into Not Installable state. In this state, the app isn't discoverable to merchants through the admin. The installation URL is removed from your dashboard, and it cannot be used for installation. The app can't be installed on any new shop, but shops that had the app installed previously will still be able to use it.

You can view the payments app state when you edit a version from the Edit draft page of your payments app extension.

Payments apps support the following features:

• Payment methods
• Payment operations

Merchants can use payments apps to redirect customers to an app-hosted page for payment processing, which can include the following payment methods:

• Wallets (refer to Prohibited actions for current limitations)
• Buy Now Pay Later / Installments / Buyer Financing
• Cards
• Bank Transfers / Online Banking
• Cryptocurrency
• Cash and ATM

The payment methods support the following operations:

• Charge: Partners can collect a buyer’s payment information and charge them for their purchase.
• Refund: Merchants can trigger a refund from their Shopify admin.
• Authorize: Merchants can place a hold that can be charged at a later time.
• Capture: Merchants can charge the amount previously specified via an authorization.
• Void: Merchants can cancel a previously authorized amount.

Payment processing is a core part of Shopify merchants’ workflows. Our stores run 24/7 selling to buyers in a variety of currencies across the globe. We rely on and trust our Payments Partners to provide a secure environment for buyers to purchase and help merchants handle settlement and payouts.

During a buyer’s purchase, payments apps are responsible for the following:

1. Securely collecting a buyer’s payment information and adhering to applicable law and any PCI requirements or market regulations, including the secure storage of buyer data.
2. Processing the payment according to parameters specified by Shopify.
3. Redirecting the buyer to Shopify.
4. Settling transactions within five days.

Partners are responsible for monitoring and managing risk and fraud. If an unreasonably high percentage of a merchant's payments are fraudulent or high-risk (as determined in Shopify’s sole discretion), then Shopify may take action. Actions can include the following:

• Removing your payments app from Shopify's public list of payment gateways
• Restricting access to Shopify’s payments ecosystem
• Taking any other action deemed necessary

• Partners must have transparent, easy-to-understand pricing for merchants.
• Partners can't offer low promotional or introductory rates for a limited time to later increase the rate.
• Partners can't refer to any fee, expense, or other costs as Shopify fees on invoices to merchants.
• Partners must allow merchants to terminate their merchant agreements with a 7-day notice period without penalty, fine, or other consequence.

All Partners are required to have a signed revenue share agreement with Shopify. You must sign and submit the agreement before Shopify can approve a payments app to process real, live payments. Shopify provides the agreement to you as a part of the payments platform access request process.

Revenue share is calculated and applied on total payments volume (total GMV) processed by the payments app for all Shopify merchants with the app installed. Each invoice represents payments that took place from 00:00:00 UTC on the first day of the month to 23:59:59 UTC on the last day of the month. Shopify converts the compensation amounts daily to US dollars to limit foreign exchange risks between the parties to the agreement. Shopify uses xe.com to perform the conversion.

Shopify waives invoicing and collection of revenue share owed to Shopify until the first month that total transaction volume on your Payment Apps exceeds $150,000 USD. When this threshold is met, Shopify produces the invoice and sends it to the billing email provided, alongside bank details for payment.

Payments apps aren't permitted to do any of the following:

• Use any Shopify APIs other than the Payments Apps API and mandatory webhooks for GDPR.
• Store payment credentials for unapproved purposes. You can only use credentials for the original transaction or services approved by Shopify.
• Redistribute, share, transfer, sell unauthorized access to Shopify’s Payments Platform without Shopify’s approval. Access to Shopify’s payments ecosystem is strictly provided to the approved Payments Partner only.
• Create fake or fraudulent merchants, orders, or sales.
• Process payment methods that include, but aren't limited to, Apple Pay, Google Pay, Shop Pay, PayPal, and Alipay. Shopify has a direct connection with providers that improves performance and checkout conversion for merchants.

To make choosing additional payment methods as straightforward as possible for merchants, you should adhere to certain rules when naming your payments app:

• The name of the payments app can't contain marketing text: For example, the name “World's Best Provider: Get 50 payment methods” isn't allowed. This is because merchants won't see the name of the payments app until they have chosen the payment method they wish to add to their store.
• The name of the payments app can't be used by partners to gain a higher listing: There isn't a general alphabetized directory of payments apps for merchants to navigate. Instead merchants discover payments apps using the payment methods they want to add.

You should make sure that the payment methods and locations offered are accurate because this is the only information that's used to surface the app to merchants. If a name appears to have been created with the purpose of gaining a higher listing on an alphabetized list, then it will not be allowed.

• Line items, order ID, and checkout ID aren't available through the Payments Apps APIs.
• Payments apps aren't visible nor installable in the Shopify App Store.
• As part of the payment processing flow, buyers must enter their payment information on a page hosted by the payments developer.

• Create a payments app, and learn how to version and publish your app.