PCI compliance is a critical issue for Magento stores and all eCommerce entrepreneurs. If your store is not PCI compliant and cardholder data is lost due to a cyber-attack, you could end up liable for damages in lawsuits, and you may also pay thousands of dollars in penalties and fines.
But what is PCI? Why does it matter, and how does it relate to Magento? In this FAQ, 121eCommerce will address a few of the most common questions about Magento and PCI compliance.
PCI compliance means that a merchant meets PCI/DSS (Payment Card Information/Data Security Standards) requirements. These standards have been developed by major payment card companies like VISA, MasterCard, Discover, American Express, and others.
PCI is intended to protect customer information from theft and reduce the risks of credit card fraud. It matters because payment processors are able to levy large fines against companies that violate PCI/DSS standards – basically, if you don’t meet its requirements and you lose customer credit card information, you’re in for a bad time.
There are a few different levels of PCI compliance, though. These are primarily based on how many payments you accept per year. For example, if you process fewer than 20,000 Visa or Mastercard transactions per year on your Magento store, you’ll be a “Compliance Level 4” store – this is the lowest level of compliance, so it’s easier to meet compliance requirements.
As you process more and more transactions, requirements for compliance become more and more strict. That makes sense – obviously, a company that processes 2 million credit card transactions per year would be a bigger target than a smaller eCommerce entrepreneur who gets 50,000 credit card transactions per year. You can learn more about this topic here, if you’re interested.
All information on a customer’s credit card – including their full or partial account number, card expiration date, CVV (security code), and even their name is covered by PCI standards. All of this information must be protected and guarded per PCI/DSS requirements.
Most smaller Magento stores can determine PCI compliance using a self-assessment questionnaire (SAQ). There are a few different questionnaires that you may need to use depending on your situation.
For example, Magento store owners who have “have fully outsourced all cardholder data functions” to “PCI DSS compliant third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises” will need to take self-assessment questionnaire A.
To learn more and see which SAQ is right for you, visit this page from the PCI Security Standards Council to see a full list of questionnaires.
Not necessarily, though this is a good start. In fact, you should never store customer credit card details on your Magento store – you should always use a third-party payment processor.
This is because PCI standards are much higher if you store customer credit card details in your Magento database – by offloading this task to a PCI-compliant third-party payment processor, you can simplify the process dramatically.
Yes. Magento 2 is a highly secure platform and helps you become PCI compliant. It even offers a payment application or “bridge” that meets PCI/DSS standards for security.
This does not necessarily mean that you are automatically PCI compliant, though. There are a lot of steps you need to take to become PCI compliant that are outside of the Magento platform – hosting your Magento environment in a physically-secure server room, for example.
Magento Commerce, the cloud-hosted version of Magento 2, makes it even easier to become PCI compliant. The parent company of Magento, Adobe, is a certified Level 1 Solution Provider.
The cloud infrastructure for Magento Commerce is pre-certified, and you also get a number of integrated, secure payment solutions for securely transmitting payment data through Magento Commerce. While you still must take some additional steps for PCI compliance, it’s much easier to ensure you meet PCI standards with Magento Commerce.
No! PCI/DSS requirements 6.1 and 6.2 require eCommerce store owners to apply “vendor-supplied security patches” to their websites in order to remain compliant. But Magento 1 has now been sunsetted – and it’s no longer receiving patches or updates.
If you’re using Magento 1, you are not PCI/DSS compliant unless you create a “Compensating Controls” plan – which can be very expensive and time-consuming. Basically, you’re better off switching to Magento 2 – so start making plans to do so as soon as you can.
This will depend on the size of your store and some other factors. But, as a rule, smaller merchants can become PCI compliant by taking the following steps:
PCI is essential for proper data security. If you don’t follow PCI standards in your Magento 2 store, you’re exposing your customers to hacks and data breaches – and you could face stiff penalties from payment companies like VISA, MasterCard, and more.
So take it seriously, and make sure your Magento 2 installation is compliant. Need help? Contact 121eCommerce now – we specialize in Magento 2 security and PCI/DSS standards. Get in touch for a consultation, and see how we can help you lock down your Magento eCommerce store.