Magento PCI Compliance Best Practices
In 2006, the five major credit card companies launched the Payment Credit Card Data Security Standard (PCI DSS) to protect sensitive credit card data that is processed during each payment.
PCI compliance refers to the security standards businesses that accept credit card payments must adhere to. By being PCI compliant, businesses protect customer financial data securely and minimize the risk of fraudulent activity and identity theft.
Since many eCommerce sites use credit cards, Magento PCI compliance is of great importance to business owners. So, how does Magento handle PCI compliance, and what can you do to protect your business?
Read on to find out.
How Does PCI Compliance Impact eCommerce Businesses?
This is the place to go if you’re wondering, “Is PCI compliance required for Magento?”
Short answer: If you process credit card information on your eCommerce site, you need to be PCI compliant.
However, not all Magento users store or process cardholder data.
You do not need to be PCI compliant if you are a Magento client who uses external payment gateways (such as PayPal or Stripe). If you use these third-party services, they process and store credit card data when the customer’s browser connects to their server and you never transmit cardholder data.
However, Magento PCI compliance is still a good idea for all eCommerce businesses using the platform because it protects your own data and your customers’ data. Even if you do not handle cardholder information, you still have personal data on file such as email addresses and phone numbers that should be protected.
Is Magento PCI Compliant?
Magento is not PCI compliant out of the box, but it can make it easy for your business to achieve compliance. Even with Magento 1 passing its end-of-life date in June 2020, Magento 2 PCI compliance still requires following some simple steps.
If you want your eCommerce site to achieve PCI compliance, Magento can help in the following ways:
- Magento offers a payment application that is PCI compliant.
- Magento Commerce, the cloud version of Magento 2, has a pre-certified infrastructure for securely transmitting cardholder data.
What is PCI DSS?
The PCI Security Standards Council established tools, a framework, and education to help businesses that process credit card payments keep financial data secure. Businesses that are unable to comply with the guidelines face damage to their reputation and potential PCI compliance fines.
If you are familiar with medical data privacy and HIPAA compliant web hosting, PCI compliant hosting might seem similar. Both face guidelines meant to protect sensitive information and mitigate identity theft, such as the following:
- Maintain a firewall to protect data.
- Change manufacturer supplied passwords.
- Protect stored credit card information.
- Encrypt transmitted cardholder information.
- Use updated antivirus software to protect against viruses and malware.
- Use secure systems and applications.
- Keep card holder data on a need-to-know basis.
- Authenticate access to cardholder data.
- Restrict physical access to data.
- Monitor and log access to physical data.
- Test security systems and fix weaknesses.
- Implement a risk assessment and information security policy.
Is SSL Enough to Make My Site PCI Compliant?
SSL certification is incredibly valuable in helping achieve Magento PCI compliance, even if on its own, an SSL certificate does not establish PCI compliant web hosting. At the very least, an SSL certificate gives eCommerce sites with Magento hosting an advantage in getting PCI compliant.
Along with aiding in becoming compliant, an SSL certificate assures customers that your eCommerce site keeps their information protected. SSL stands for Secure Sockets Layer. An SSL certificate guarantees that information passed from the customer to your store is encrypted and secure.
PCI DSS Compliance Requirements for Magento Sites
Achieving PCI DSS compliance with Magento can be done easily by following these steps which address each of the PCI guidelines:
- Set up a firewall between credit card information and public networks.
- Update passwords supplied by vendors on all devices for better password security.
- Use a third-party payment processor so no sensitive data is stored on Magento.
- Ensure all transmitted data is encrypted by getting an SSL certificate.
- Regularly check for updates on processing software.
- Install security and antivirus software.
- Restrict cardholder data to only those who need to use it.
- Give each person with access to data a unique login to help track access.
- Restrict access to physical data. Lock doors and drawers that contain hard drives or papers.
- Make users sign a log when entering areas that store sensitive data.
- Perform penetration tests on security systems and the network to find weaknesses.
- Establish security policy and educate all employees on it.
Steps to Protect Your Magento Site
Magento PCI compliance is a must for all users who process credit card purchases. The previously mentioned measures help achieve compliance, but the following steps can further protect your site:
Choose a Hosting Provider that Assists in PCI Compliance
Not all providers have PCI compliance capabilities. Check that your hosting provider claims PCI compliance capabilities.
Check Plugins and Extensions
All plugins, including your content management system (CMS), must be PCI compliant. Limit the number of plugins and extensions your site uses to reduce the risk.
Run Compliance Audits
The PCI Self-Assessment Questionnaire (SAQ) is a handy tool to check your site’s PCI compliance throughout the year.
Find and use an approved scanning vendor to secure your payment processing software. Get an SSL certificate to ensure your transactions are encrypted.
Consequences for PCI Non-Compliance
Businesses are evaluated based on four PCI compliance levels:
- Level 1: Businesses that process more than six million transactions per year.
- Level 2: Businesses that process between one and six million transactions per year.
- Level 3: Businesses that process 20,000 to one million transactions per year.
- Level 4: Businesses that process less than 20,000 transactions per year.
A business' PCI non-compliance fee depends on the compliance level that the business falls under.
Level 1 businesses face an external audit which reviews technical documents, checks payment controls, and provides education to support compliance. Levels 2 through 4 perform self-evaluations using the aforementioned SAQ.
Credit card companies that find banks doing business with companies in violation of PCI compliance will fine the banks between $5,000 and $100,000 per month. When the banks are fined, they then pass the penalty onto the companies.
Most banks will end partnerships with businesses who continue to fall out of compliance and receive penalties.
Magento PCI compliance is required for businesses that use the platform and process credit card purchases.
Ready to Find a PCI Compliant Hosting Provider for Your Store? Liquid Web is Your Source for Managed Hosting Solutions That Help Keep Your Business PCI Compliant.
David Gibb is the Financial Controller at Liquid Web. He has over 20 years of experience working in Finance. He is a CPA in Canada, CGMA in the United Kingdom, and a CPA in Australia.
Keep up to date with the latest Hosting news.