Magento and PCI Compliance

If you sell products online you will have to deal with the credit card data of your customers. PCI compliance is related to the storage of this data and its security. It is a standard set by credit card companies in order to prevent or at least reduce credit card fraud in the industry. To comply with this standard can be very costly and time consuming. Not to comply with it can lead to fines in case of stollen credit cards’ data.

If you as an online merchant using Magento want to achieve PCI compliance, here’s what you need to know.

There are four different tiers for PCI Compliance, connected with an annual review by a Qualified Security Assessor, and a quarterly scan by a Approved Scanning Vendor of different scope.

  • Tier 1: You have more than 6 million transactions per year
  • Tier 2: Your stored transactions per year are betweet 1 and 6 million
  • Tier 3: In case you have less than 1 million transactions during the year
  • Tier 4: If you have less than 20.000 transactions a year

Here are the requirements for the PCI Compliance

  • You have to maintain a firewall in order to protect the card holder data
  • Do not use default system user and password or other security parameters
  • Protect the card holder data
  • Data transmissions should be encrypted
  • Up-to-date antivirus software
  • Systems and applications security
  • Restricted access to card holder data
  • Unique ID for each person with computer access
  • Monitor regularly the access to your network resources
  • Test regularly the security systems and processes
  • Policy for information security

If you have the Magento Professional or Enterprise Edition and you process payments yourself, that the full payment application is considered as a custom application and it has to fulfill the requirements mentioned above. Since this is a very time consuming and costly process, and in case you only use the Magento Community Edition, there are a few other options to be PCI compliant. Here are the other options in detail:

  1. You can use a third party payment methods, for example PayPal express.
    If you choose this option you won’t have to be PCI compliant yourself, because you don’t have to store credit card information on your server. In this case you have to consider that your customers will be redirected to the site of the payment processor and will have to leave your website, which might be inconvinient and interrupt the buying process.
  2. You can use a SaaS PCI compliant payment application.
    You can use for example the CRE Secure which is PCI compliant. The customer is taken to another website (URL changes), but the form may be customized to look consistent with your store.
  3. You can use the Magento Payment Bridge – which is PA DSS compliant.
    It is available free of charge with Enterprise and Professional Editions of Magento and requires an upgrade from Community Edition.  In case you decide to go this way, there are technical requirements for PCI compliant hosting (website and database).  This is the best option from the three since it provides a seamless user experience but also the most expensive one.