Magento Tutorials

Understanding PCI Compliance in Magento

What is PCI Compliance?

PCI stands for Payment Card Industry. PCI Compliance is adherence to a set of security standards related to the protection of card data during a period when a financial transaction occurs and after it has been finished.

As eCommerce is growing, so does people’s concern about data breach. Lost or stolen personal information may be used by ill-intended people to possess other’s bank accounts, or to serve other purposes. Also, when it happens, it is usually not data of only one or two customers, the numbers of stolen accounts can be thousands and even more. 

In 2019, the Buca di Beppo restaurant chain was under a cyber-attack, which led to the loss of over 2 million credit card users’ information. It raised great concern for their customers, and also damaged the reputation of the businesses that had provided the card payment options in question.

A business that lost their customer’s data will not only pay for hefty fines, but they will also lose their customers. And this is so much damaging to a business that what a fine can do!

So if you as an online merchant using Magento want to achieve PCI compliance, here’s what you need to know.

There are four different tiers of PCI Compliance, connected with an annual review by a Qualified Security Assessor, and a quarterly scan by an Approved Scanning Vendor of different scope.

The tiers are determined by the number of payments a merchant proceeds in a year. 

pci compliance
PCI Compliance Chart (image in courtesy of BigCommerce)

For each tier, they’ll need to follow specific requirements.

Compliance tiersCriteriaRequirements
Tier 1You have more than 6 million transactions per year– Report on compliance
– Scan for vulnerability regularly
– Attestation of compliance
Tier 2Your stored transactions per year fall between 1 and 6 million– Self-assessment questionnaire 
– Regular vulnerability scan
– Attestation of compliance
Tier 3In case you have from 20,000 to 1 million eCommerce transactions during the year– Self-assessment questionnaire 
– Regular vulnerability scan
– Attestation of compliance
Tier 4If you have less than 20,000 eCommerce transactions a year; or 1 million total transactions of any types– Self-assessment questionnaire 
– Vulnerability scan
– Attestation of compliance
Requirements for each tier

By complying with PCI DSS standards, your business can play its part in preventing credit card fraud and earn more trust from customers. All customer credit card information must be protected by PCI – their full or partial account number, card expiration date, CVV (security code), and even their name.

Here are the requirements for the PCI Compliance

  • You have to maintain a firewall in order to protect the card holder data
  • Do not use default system user and password or other security parameters
  • Protect the stored card holder data
  • Data transmissions should be encrypted
  • Use up-to-date antivirus software
  • Maintain and regularly check on the systems and applications security
  • Restricted access to card holder data
  • Assign unique ID for each person with computer access
  • Monitor regularly the access to your network resources
  • Test regularly the security systems and processes
  • Policy for information security

MAGENTO PCI COMPLIANCE

Magento Commerce Edition

Taking a great life from its ancestor, Magento 2 Commerce (Cloud) Edition is PCI certified as a Level 1 Solution Provider. It’s now easier for businesses to be PCI-compliant. They can use Magento’s PCI Attestation of Compliance to support them in proving they are meeting the specific requirements. 

As the majority of those using Commerce Edition are mid-sized and large brands, who may proceed with more than 6 million transactions per year, this is extremely important to them.

Besides, Magento stores are integrated with payment gateways, which direct information directly to the payment gateway and not store them in the Magento server. This is a feature included in both Magento Open Source and Commerce editions.

Magento Open Source Edition

PCI-compliant isn’t a feature included in the Open Source Edition. But there are several ways that you can still make your Magento website PCI compliant:

1. Use a third-party payment method (for example, PayPal express)

This is the method we mentioned in the part for the Commerce edition.

If you choose this option you won’t have to be PCI-compliant yourself, because you don’t have to store credit card information on your server. In the past, using a third-party payment gateway may interrupt your customer’s checkout process. But this isn’t the problem anymore.

Merchants can now offer a seamless checkout experience with a third-party payment gateway. By keeping sensitive data from being stored in the Magento server, you can make changes to the core Magento eCommerce application and not have to go through re-assessment to be PCI-compliant. 

2. Use a SaaS PCI compliant payment application

You can use for example the CRE Secure which is PCI compliant. The customer is taken to another website (URL changes), but the form may be customized to look consistent with your store.

For a better understanding of PCI Compliance, take a look at the infographic below:

The PCI Compliance Process

Infographic produced by payment processing company BluePay


Further Reading:
Magento Community vs Enterprise: A Detailed Comparison
Understanding Magento Form Validation
Understanding Magento SOAP API
What E-commerce Websites Need To Know About PCI Compliance