It’s one of the biggest questions circling the Magento community for quite some time now – will online merchants running Magento Community Edition be able to achieve PCI Compliance? It comes as no surprise to me that many answers to this simple question were ill-informed, and broadly ranged from flat out “no (you’ll need Enterprise Edition)”, to “yes, piece of cake”. With many merchant service providers getting down to laying down the law with smaller retailers, this question has become more and more frequent as of late. And yet still, lots of confusion, and lack of a clear answer. So let me lay down a definitive answer for you:
“I’m an online retailer running Magento Community Edition – can I achieve PCI Compliance?” YES
I’m not going to delve into all the details about what is PCI Compliance, and how it relates to PA-DSS, and all of the details involved with achieving PCI Compliant status, or even why you need to be PCI compliant – there’s a myriad of resources that dives into those details of which I will not rehash. To make matters worse, I’ve heard of inconsistent enforcement of these policies, that are created by the credit card companies themselves, and enforced at the merchant service provider level. At the end of the day, it is important to understand that PCI Compliance is for your business, the software you run is only one component of becoming compliant, and thus the larger issues and questions at hand are going to involve issues outside of Magento. Magento itself is not PCI Compliant – software cannot be PCI Compliant. So the correct context is always referring to your business as being PCI Compliant – not the software. The process for achieving PCI Compliance for your business is also dependent on your sales volume, of which you can fall into one of four levels.
The inspiration of this article started with a tweet about PCI Compliance and Magento CE (Community Edition). Magento has taken strides to ensure that the Enterprise and Professional Editions are PA-DSS certified through their Payment Bridge thus ensuring the passing of that PCI requirement by merchants running that software. So this article focuses on the Community Edition – which is where the ambiguity always lied to begin with. But that tweet grew wings and spawned a number of replies, emails, and discussions from service providers, hosts, and merchants running the software. It’s a hot topic, that to get an answer to required a great deal of research and discussions with folks from the merchant services sector, to hosting providers, retailers having to walk through this process, and Magento team members themselves. The following represents the outcome of numerous conversations on this topic, with the hope that this might simplify someone else’s life as they embark on this dreadful journey. I’m not pretending to be an expert on PCI Compliance, nor should this be considered an absolute truth, but it is a summary of what I’ve learned through the process of achieving PCI compliance for a client of ours running Magento CE.
eCommerce and PCI Compliance
In its simplest form, if you store credit card data in any shape or form – the system in which you are storing that information is held to a very rigid standard in order for your business to be approved for PCI Compliance. Let me provide you an example scenario, if you are running Magento Commerce Community Edition and use authorize.net (or similar payment gateway) – that means that your Magento Commerce install is “in scope” of needing to pass certain standards for PCI Compliance. Which means, depending on your level, you may need to have that system pass a strict PCI audit. An interesting statistic – out of the hundreds of eCommerce platforms available on the market, only a handful have passed PA-DSS certification (which is the certification given to software that has passed this rigorous screening). It’s an expensive, time consuming process that software companies don’t even want to get into on their own platforms – so the general consensus is – you do NOT want to go down a path of putting your software through a PCI audit.
How to Be PCI Compliant on Magento
You have a few options on how to achieve PCI Compliance – but it might require some changes to how you handle credit card processing. Take note of Magento Professional and Enterprise Editions – Magento did not make the software itself PA-DSS certified. Instead, they created a separate platform, dubbed “Payment Bridge” that handles all credit card processing, and this stand-along system is PA-DSS certified. And by using this for processing credit card transactions, the onus is no longer on the eCommerce platform, but specifically on the processing system (Payment Bridge). There are many reasons for this, but it basically allows Magento to have some creative liberties with the platform and not have to jump through hoops with every upgrade in ensuring that each release gets re-certified.
Currently, Payment Bridge is not available for Community Edition, but there are several options for achieving PCI Compliance on Magento:
- Use only hosted payment methods (paypal express, cybersource hosted order page, authorizenet SIM) – and you’re out of “PCI scope” – meaning you don’t have to have your software be PCI Certified because you’re not storing any credit card information locally or processing any transaction on your server.
The downside: You are redirected to another site, which is not really a seamless solution and the Conversion expert in us would advise against this. Or, Magento currently has on their roadmap to integrate with Cybersource Silent Order Post – which would be the most seamless of these options. - Use a SaaS PCI compliant payment application like CRE Secure – which again puts your out of “PCI scope” again because the actual credit card processing happens offsite on someone else’s server that is already PCI Certified. This service essentially serves up the checkout page from their server and processes the transactions there. Best yet, it supports 4 of the primary payment gateways used today with Authorize.net, Paypal, Chase Paymentech, and Payleap so you can most likely stick with your current merchant services provider.
The downside: Unfortunately, the URL does change with this service, so while the form may look consistent with the site (which is an improvement over #1) – the URL does change which could cause some checkout confusion with your users and possible cart abandonment. - Use our Magento Payment Bridge solution (on-premise small payment application, PA-DSS compliant) – you’re out of “PCI scope” with Magento, and the Payment Bridge (smaller, simpler, separate app) solution is the software that needs to be compliant – which it already is. This is available free of charge with Enterprise and Professional Editions of Magento and would require an upgrade from Community Edition. There are some technical requirements in PCI compliant hosting for the website, and two additional servers (web + db) that are secured and separate from the store. It does support the major gateways: authorize.net, payflow pro, paypal direct (us & uk) and of all of the options mentioned thus far, has the most seamless user experience by integrating the payment form from the MPB server and embedding that into an IFRAME into Magento checkout.
The downside: Unfortunately, there is more significant cost involved here than the three aforementioned solutions. - If you treat Magento with any payment method (like you are most likely doing now) it will depend on your merchant level which can range from tier 1 (over 6 million transactions) where this would be considered a custom solution and thus a PCI assessment of the whole system is required for PCI Compliance. On the opposite end of the spectrum, if you’re processing less than 20K eCommerce transactions per year then you fall into a tier 4 where you can get by with as little as an annual Self-Assesment Questionnaire (SAQ) and a quarterly scan of your server. If you already have McAfee Secure then you should also have access to their PCI scan and certification service, if not, there are a variety of companies out there that provide this service.
The downside: This can be a time consuming, confusing process. If you fall into tier 3 or 4, this can be the most cost effective option, but tiers 1 and 2 can be enough to warrant considering looking at the other options above.
PCI Compliance Enforcement
The most confusing aspect of determining how you can become PCI Compliant is the enforcement of it. This is an industry wide regulation handed down by credit card companies but enforced by merchant services providers – many of whom don’t even understand how to enforce it themselves. Which leads to “well my MSP said all I need to do is this” and hence, eighteen different answers to the same question.
At the end of the day, this is an issue not specific to Magento Commerce. All merchants on all platforms have to face this same battle, and many of them have fewer options than this. PCI Compliance was brought down upon merchants by credit card companies to help protect the data of cardholders and protect against fraud, which overwhelmingly happens at the small business level (according to Coalfire up to 90%) so it’s not surprising that this process is costly, and time consuming especially for small businesses. Over time I feel that some better options will present themselves, but in the end, removing the processing of credit card processing from your server, in some shape or form, is going to be the easiest, most cost-effective solution for small to medium sized merchants while still providing the security and data protection that credit card companies are looking for.
Some additional helpful information:
- PCI Compliant Hosting article at Crucial
- Magento PCI Compliance Overview
- PCI DSS Standard
- Magento PCI Webinar Recap
If you have additional insight to share about your experiences with PCI Compliance on Magento, please, join the conversation.
Matt Prindle (13)
Carla (10)
Justin @ Palmer W... (6)
Kyle (6)
Hasan Luongo (5)
Nice article.. Clears a few thing sup for me.
there is one more way how to achieve PCI compliance and process credit cards “onsite” – X-Payments PA-DSS certified software by X-Cart. Can be used on the same site where a Magento installation is setup.
Thanks for the CRE Secure mention in #2, but I wanted to just clarify the ‘downside’. Actually, CRE Secure private labels part of the redirected domain for free (blueacorn.cresecure.net) but can also completely private label the URL (ie., payments.blueacorn.com) by hosting the subdomain DNS in our PCI data center, for a small fee. Larger enterprise clients demand it. Alo, I appreciate your ’straight talk’ description of the challenges of managing your own PCI compliance. The cost of PCI hosting (2 servers min.) is too often not highlighted and frankly represents the largest cost component. We, along with many industry analysts now, are strong proponents of outsourced payment acceptance mostly because it reduces the business risk associated with a breach along with cost, and not just because it delivers compliance.
We use Mail Order Manager and are looking at options for our online shopping cart (We currently use Sitelink) Do any of the solutions above allow you to import the cc and authorization information into MOM?
Hi Fred, we’re actually working on a project right now integrating MOM with Magento so we could certainly shed some insight into that process. But in regards to PCI compliance, if you are transmitting any kind of credit card information, there are going to be very strict standards whereby the entire process, from capturing the credit card to storing it in MOM will be held to PCI compliance regulations. There are also third party tools that can provide a token that you can actually use in Magento and MOM and use that as a reference to the transaction as an option.
that really helps, thanks I think I will be staying with a PayPal gateway till I get bigger after reading that. Kinda related question, any recommends for problem solving using Website Payment Pro- PayPal integration and Magento CE 1.4.2.0-beta1 ? having issues and I have waded through the Magento Forum with no love. Appreciate your knowledge, direction and help.
Thanks Kevin, this has been the easiest article to read through and understand the options available in Magento. I currently use Cybersource SOAP and am interested in knowing more about the Silent Order POST.
In the UK, Sage Pay offer a token system that allows you to keep the customer on your site yet store no restricted credit card data (except momentarily in memory). This still allows you to store last 4 digits of the PAN, the card type and expiry date, so you can operate a ’saved cards’ feature.
Ebizmarts are coming close to launching an extension that will integrate all this in Magento – its pretty neat!
My understanding is that this setup is liable for SAQ-C if you take a strict interpretation of PCI. Roughly, this means you need to know what you are doing, but you can avoid the whole two separate server deal (SAQ-D).
Security Metrics, working for Barclays who are my merchant services provider, assure me this is SAQ-A, ie simple. It is important to note though that noone at Barclays or SM seem to have a clue about token, and at the end of the day the merchant (not either of them, no matter what advice they provide) is responsible if anything happens (like a server and therefore cardholder data being compromised) so we shall go for SAQ-C I think…
Hi Kevin, I second David’s question: what update on CyberSource’s Silent Order Post option and Magento? You mentioned it was in Magento’s roadmap. But ought not a company like yours be able to develop an extension to make it work anyway? Do you have client projects like this that you could elaborate upon?
Hi Andy, I would like to talk with you more about your experiences. I’m working on a UK project where retailer is also using Barclays and I’m interested in setting up a Magento system with payment tokenisation (possibly CyberSource, but you mention Sage Pay?). Your mention of Ebizmarts extension was helpful. Might you contact me at patrick @ e-business coach dot com ?
A follow-up to my comment a moment ago:
My background is that I spent the last decade building a company around a proprietary ecommerce turnkey hosted package (catalog, cart, CMS, email, etc) for niche merchants in US and UK. After a security breach in ‘06, we underwent a VISA mandated audit and were later called the ‘posterchild for how to handle a PCI incident’ by Discover card. Our system then earned Payment Gateway Level 1 PCI cleared status by auditor SecurityMetrics, after much pain and gnashing of teeth. I’m no longer running that business; now a consultant helping others on special assignment. Which is the long way of saying, I’m interested in this topic.
One detail about PCI: the compliance standard is the same regardless of transaction volume, same for all merchants. If you’re a small merchant, your reporting / certification requirements are less, but your responsibility is the same. Your obligation / potential fines / accountability is the same. Which is why what Kevin and Greg says about encouraging your website to handle card payments in a way that puts it “out of PCI scope” is attractive.
Hi Kevin, I have to say this is one of the most complete (and also clear) articles about Magento and PCI Compliance I have come across.
Any insight into how the integration of Authorize.Net DPM impacts achieving PCI compliance with Magento?