Comments on: PCI Compliance for Magento

By: Anon

Anon — Thu, 19 May 2011 20:22:01 +0000

Any insight into how the integration of Authorize.Net DPM impacts achieving PCI compliance with Magento?

By: Garth Brantley

Garth Brantley — Sat, 19 Feb 2011 21:41:24 +0000

Hi Kevin, I have to say this is one of the most complete (and also clear) articles about Magento and PCI Compliance I have come across.

By: Patrick Pitman

Patrick Pitman — Thu, 17 Feb 2011 18:25:10 +0000

A follow-up to my comment a moment ago:

My background is that I spent the last decade building a company around a proprietary ecommerce turnkey hosted package (catalog, cart, CMS, email, etc) for niche merchants in US and UK. After a security breach in ‘06, we underwent a VISA mandated audit and were later called the ‘posterchild for how to handle a PCI incident’ by Discover card. Our system then earned Payment Gateway Level 1 PCI cleared status by auditor SecurityMetrics, after much pain and gnashing of teeth. I’m no longer running that business; now a consultant helping others on special assignment. Which is the long way of saying, I’m interested in this topic.

One detail about PCI: the compliance standard is the same regardless of transaction volume, same for all merchants. If you’re a small merchant, your reporting / certification requirements are less, but your responsibility is the same. Your obligation / potential fines / accountability is the same. Which is why what Kevin and Greg says about encouraging your website to handle card payments in a way that puts it “out of PCI scope” is attractive.

By: Patrick Pitman

Patrick Pitman — Thu, 17 Feb 2011 18:22:03 +0000

Hi Kevin, I second David’s question: what update on CyberSource’s Silent Order Post option and Magento? You mentioned it was in Magento’s roadmap. But ought not a company like yours be able to develop an extension to make it work anyway? Do you have client projects like this that you could elaborate upon?

Hi Andy, I would like to talk with you more about your experiences. I’m working on a UK project where retailer is also using Barclays and I’m interested in setting up a Magento system with payment tokenisation (possibly CyberSource, but you mention Sage Pay?). Your mention of Ebizmarts extension was helpful. Might you contact me at patrick @ e-business coach dot com ?

By: Andy

Andy — Tue, 08 Feb 2011 00:19:28 +0000

In the UK, Sage Pay offer a token system that allows you to keep the customer on your site yet store no restricted credit card data (except momentarily in memory). This still allows you to store last 4 digits of the PAN, the card type and expiry date, so you can operate a ’saved cards’ feature.

Ebizmarts are coming close to launching an extension that will integrate all this in Magento – its pretty neat!

My understanding is that this setup is liable for SAQ-C if you take a strict interpretation of PCI. Roughly, this means you need to know what you are doing, but you can avoid the whole two separate server deal (SAQ-D).

Security Metrics, working for Barclays who are my merchant services provider, assure me this is SAQ-A, ie simple. It is important to note though that noone at Barclays or SM seem to have a clue about token, and at the end of the day the merchant (not either of them, no matter what advice they provide) is responsible if anything happens (like a server and therefore cardholder data being compromised) so we shall go for SAQ-C I think…

By: David

David — Fri, 31 Dec 2010 06:55:52 +0000

Thanks Kevin, this has been the easiest article to read through and understand the options available in Magento. I currently use Cybersource SOAP and am interested in knowing more about the Silent Order POST.

By: Luke

Luke — Fri, 05 Nov 2010 04:14:43 +0000

that really helps, thanks I think I will be staying with a PayPal gateway till I get bigger after reading that. Kinda related question, any recommends for problem solving using Website Payment Pro- PayPal integration and Magento CE 1.4.2.0-beta1 ? having issues and I have waded through the Magento Forum with no love. Appreciate your knowledge, direction and help.

By: Kevin

Kevin — Fri, 10 Sep 2010 16:24:44 +0000

Hi Fred, we’re actually working on a project right now integrating MOM with Magento so we could certainly shed some insight into that process. But in regards to PCI compliance, if you are transmitting any kind of credit card information, there are going to be very strict standards whereby the entire process, from capturing the credit card to storing it in MOM will be held to PCI compliance regulations. There are also third party tools that can provide a token that you can actually use in Magento and MOM and use that as a reference to the transaction as an option.

By: Fred

Fred — Fri, 10 Sep 2010 16:17:18 +0000

We use Mail Order Manager and are looking at options for our online shopping cart (We currently use Sitelink) Do any of the solutions above allow you to import the cc and authorization information into MOM?

By: Greg McGraw

Greg McGraw — Fri, 03 Sep 2010 14:24:14 +0000

Thanks for the CRE Secure mention in #2, but I wanted to just clarify the ‘downside’. Actually, CRE Secure private labels part of the redirected domain for free (blueacorn.cresecure.net) but can also completely private label the URL (ie., payments.blueacorn.com) by hosting the subdomain DNS in our PCI data center, for a small fee. Larger enterprise clients demand it. Alo, I appreciate your ’straight talk’ description of the challenges of managing your own PCI compliance. The cost of PCI hosting (2 servers min.) is too often not highlighted and frankly represents the largest cost component. We, along with many industry analysts now, are strong proponents of outsourced payment acceptance mostly because it reduces the business risk associated with a breach along with cost, and not just because it delivers compliance.