PCI compliance is a critical issue for Magento stores and all eCommerce entrepreneurs. If your store is not PCI compliant and cardholder data is lost due to a cyber-attack, you could end up liable for damages in lawsuits, and you may also pay thousands of dollars in penalties and fines.
But what is PCI? Why does it matter, and how does it relate to Magento? In this FAQ, 121eCommerce will address a few of the most common questions about Magento and PCI compliance.
1. What Is PCI Compliance, And Why Does It Matter?
PCI compliance means that a merchant meets PCI/DSS (Payment Card Information/Data Security Standards) requirements. These standards have been developed by major payment card companies like VISA, MasterCard, Discover, American Express, and others.
PCI is intended to protect customer information from theft and reduce the risks of credit card fraud. It matters because payment processors are able to levy large fines against companies that violate PCI/DSS standards – basically, if you don’t meet its requirements and you lose customer credit card information, you’re in for a bad time.
There are a few different levels of PCI compliance, though. These are primarily based on how many payments you accept per year. For example, if you process fewer than 20,000 Visa or Mastercard transactions per year on your Magento store, you’ll be a “Compliance Level 4” store – this is the lowest level of compliance, so it’s easier to meet compliance requirements.
As you process more and more transactions, requirements for compliance become more and more strict. That makes sense – obviously, a company that processes 2 million credit card transactions per year would be a bigger target than a smaller eCommerce entrepreneur who gets 50,000 credit card transactions per year. You can learn more about this topic here, if you’re interested.
2. What Customer Information is Covered By PCI Standards?
All information on a customer’s credit card – including their full or partial account number, card expiration date, CVV (security code), and even their name is covered by PCI standards. All of this information must be protected and guarded per PCI/DSS requirements.
3. How Do I Determine If My Magento Store Is PCI Compliant?
Most smaller Magento stores can determine PCI compliance using a self-assessment questionnaire (SAQ). There are a few different questionnaires that you may need to use depending on your situation.
For example, Magento store owners who have “have fully outsourced all cardholder data functions” to “PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises” will need to take self-assessment questionnaire A.
To learn more and see which SAQ is right for you, visit this page from the PCI Security Standards Council to see a full list of questionnaires.
4. Am I Automatically PCI Compliant If I Use A Third-Party Payment Processor?
Not necessarily, though this is a good start. In fact, you should never store customer credit card details on your Magento store – you should always use a third-party payment processor.
This is because PCI standards are much higher if you store customer credit card details in your Magento database – by offloading this task to a PCI-compliant third-party payment processor, you can simplify the process dramatically.
5. Does Magento 2 Help Me Become PCI Compliant?
Yes. Magento 2 is a highly secure platform and helps you become PCI compliant. It even offers a payment application or “bridge” that meets PCI/DSS standards for security.
This does not necessarily mean that you are automatically PCI compliant, though. There are a lot of steps you need to take to become PCI compliant that are outside of the Magento platform – hosting your Magento environment in a physically-secure server room, for example.
Magento Commerce, the cloud-hosted version of Magento 2, makes it even easier to become PCI compliant. The parent company of Magento, Adobe, is a certified Level 1 Solution Provider.
The cloud infrastructure for Magento Commerce is pre-certified, and you also get a number of integrated, secure payment solutions for securely transmitting payment data through Magento Commerce. While you still must take some additional steps for PCI compliance, it’s much easier to ensure you meet PCI standards with Magento Commerce.
6. Is Magento 1 PCI Compliant?
No! PCI/DSS requirements 6.1 and 6.2 require eCommerce store owners to apply “vendor-supplied security patches” to their websites in order to remain compliant. But Magento 1 has now been sunsetted – and it’s no longer receiving patches or updates.
If you’re using Magento 1, you are not PCI/DSS compliant unless you create a “Compensating Controls” plan – which can be very expensive and time-consuming. Basically, you’re better off switching to Magento 2 – so start making plans to do so as soon as you can.
7. What General Steps Do I Need To Take To Make My Magento Store PCI Compliant?
This will depend on the size of your store and some other factors. But, as a rule, smaller merchants can become PCI compliant by taking the following steps:
- Using a firewall between public networks and payment card data
- Changing vendor-supplied default passwords for networking equipment or any device used in payment process
- Not storing payment data in Magento, and using a third-party payment processor to shift the storage of data away from your own systems
- Using strong encryption to protect all customer data sent over public networks
- Installing and frequently updating antivirus software on all systems that interact with cardholder data
- Regularly patching card processing systems with vendor-supplied security patches, when applicable
- Limiting access to cardholder data to as few users as possible
- Using unique IDs for each user with access to cardholder data to ensure proper tracking and accountability
- Restricting physical access to cardholder data (for example, hosting your Magento installation in a secure data center)
- Regularly testing security systems and your network to check for potential vulnerabilities
- Maintaining a security policy related to cardholder data and ensuring that all personnel are aware of the policy
Take PCI Compliance Seriously – Or Face The Consequences From Payment Providers
PCI is essential for proper data security. If you don’t follow PCI standards in your Magento 2 store, you’re exposing your customers to hacks and data breaches – and you could face stiff penalties from payment companies like VISA, MasterCard, and more.
So take it seriously, and make sure your Magento 2 installation is compliant. Need help? Contact 121eCommerce now – we specialize in Magento 2 security and PCI/DSS standards. Get in touch for a consultation, and see how we can help you lock down your Magento eCommerce store.