Yes, that is me. I am a PCI DSS compliance expert living in Melbourne, Australia. I run my company Inforca that specialise in Magento development and support retainers and we're based out of Bay Street, Brighton - near the ⛱️ beach.

We've helped numerous clients, small and big from Australia and abroad with their online store to meet their PCI DSS compliance. It's a laborious task but it's also no rocket science at the same time. Our clientele's yearly revenue exceed $100M.

Usually it involves your payment gateway being hosted on a secure system - like the latest Magento 2.3.5 for example. I'm guessing Shopify has it pretty easy since we've never received requests for help with Shopify PCI DSS compliance - but I assume that need might also exist, especially for larger and more complex enterprise systems comprised of many moving parts and integrations.

Rest assured - we have plenty of enterprise experience under our belt.

Besides ensuring that your OS is not too old - like Ubuntu 14.04, it's usually the PHP version that you need to take care of.

On top of that, your web server SSL certificate settings must be secure - this is usually the easy part. Upgrading PHP and/or Magento can be time consuming.

I'm writing this off the top of my head so excuse me if I've missed anything critical but last but not least, the payment gateway needs to be secure. Usually a hosted gateway (meaning that you get redirected to a 3rd party, the customer does the payment on the external site and come back to your shop - prime example could be PayPal) is great for PCI compliance but a more modern solutions like Stripe tend to use the iframe method really nicely.

Both these payment methods will take a LOT of burden off your back because it means no credit card details actually pass through your site from a technical standpoint.

If any credit card details touch your site at all, then you need to jump through a whole lot of hoops - maybe 10 times more than what you'd need to satisfy if you had a 3rd party hosted gateway or an iframe payment method.

This is because JavaScript injected into the site can send the credit card information to a hacker - IF your site touches any of these details. And it happens quite often as there are literally millions of bots scanning for vulnerabilities and easy to guess admin passwords and they pretty much automate this entire process of inserting a keystroke logger and sender. The hackers are smart.

Anyway, if you need help with compliance - do reach out.