Hi everyone,
We’re using Shorebird in our Flutter app to push over-the-air (OTA) updates to production without going through the app stores. The app doesn’t directly handle payments, but some modules do interact with APIs that process sensitive data like user billing and subscription info.
We’re currently going through PCI DSS compliance review, and I’m wondering:
Does using Shorebird violate any PCI requirements related to code integrity, change management, or runtime code modification?
Have any of you used Shorebird in a PCI-scoped environment or discussed this with your QSA (Qualified Security Assessor)?
Would appreciate any insights, references, or personal experience from teams using Shorebird in regulated apps.
Thanks!
I’m not aware of Shorebird violating any PCI standards. We certainly have other finance apps as customers who presumably have gone through similar reviews.
I would strongly encourage you to use patch signing if you are not already. That makes it so that you don’t even need to trust us (or Google Cloud) in distributing your patches:
We intend to turn it on by default, just have been busy with other product work.
2 Likes
You’re also always welcome to reach out at contact@shorebird.dev. We’re all on that list and respond very quickly. 
2 Likes
I wasn’t sure whether Shorebird or any code-push solution might violate PCI, and I couldn’t find anything concrete online so I really appreciate you sharing this and confirming.
Thanks also for the heads-up about patch signing, that’s very helpful!