PCI compliance — Shopify hosted vs Magento self-hosted?

Different scopes.

Shopify: handles PCI-DSS Level 1 compliance for you. Card data never touches your servers — it’s tokenised at Shopify Checkout. Your PCI scope is SAQ A (the easiest tier — basically a self-attestation that you don’t store/process/transmit card data).

Magento Open Source self-hosted: if you use a hosted gateway (Stripe Elements, Braintree Hosted Fields, Adyen drop-in), card data also never touches your servers — you stay in SAQ A territory. Cost: $0 extra.

Magento with on-server payment forms (rare these days, but Authorize.Net AIM and some legacy gateways): card data touches your server briefly. PCI scope jumps to SAQ A-EP or SAQ D, requiring quarterly ASV scans, annual penetration tests, and full PCI documentation. Cost: $5k–$25k/yr.

Verdict: as long as Magento store uses tokenized payment forms (which any modern build does), PCI burden is roughly equivalent to Shopify. PCI is not a real differentiator in 2026.