It’s one of the biggest questions circling the Magento community for quite some time now – will online merchants running Magento Community Edition be able to achieve PCI Compliance? It comes as no surprise to me that many answers to this simple question were ill-informed, and broadly ranged from flat out “no (you’ll need Enterprise Edition)”, to “yes, piece of cake”. With many merchant service providers getting down to laying down the law with smaller retailers, this question has become more and more frequent as of late. And yet still, lots of confusion, and lack of a clear answer. So let me lay down a definitive answer for you:
“I’m an online retailer running Magento Community Edition – can I achieve PCI Compliance?” YES
I’m not going to delve into all the details about what is PCI Compliance, and how it relates to PA-DSS, and all of the details involved with achieving PCI Compliant status, or even why you need to be PCI compliant – there’s a myriad of resources that dives into those details of which I will not rehash. To make matters worse, I’ve heard of inconsistent enforcement of these policies, that are created by the credit card companies themselves, and enforced at the merchant service provider level. At the end of the day, it is important to understand that PCI Compliance is for your business, the software you run is only one component of becoming compliant, and thus the larger issues and questions at hand are going to involve issues outside of Magento. Magento itself is not PCI Compliant – software cannot be PCI Compliant. So the correct context is always referring to your business as being PCI Compliant – not the software. The process for achieving PCI Compliance for your business is also dependent on your sales volume, of which you can fall into one of four levels.
The inspiration of this article started with a tweet about PCI Compliance and Magento CE (Community Edition). Magento has taken strides to ensure that the Enterprise and Professional Editions are PA-DSS certified through their Payment Bridge thus ensuring the passing of that PCI requirement by merchants running that software. So this article focuses on the Community Edition – which is where the ambiguity always lied to begin with. But that tweet grew wings and spawned a number of replies, emails, and discussions from service providers, hosts, and merchants running the software. It’s a hot topic, that to get an answer to required a great deal of research and discussions with folks from the merchant services sector, to hosting providers, retailers having to walk through this process, and Magento team members themselves. The following represents the outcome of numerous conversations on this topic, with the hope that this might simplify someone else’s life as they embark on this dreadful journey. I’m not pretending to be an expert on PCI Compliance, nor should this be considered an absolute truth, but it is a summary of what I’ve learned through the process of achieving PCI compliance for a client of ours running Magento CE.
eCommerce and PCI Compliance
In its simplest form, if you store credit card data in any shape or form – the system in which you are storing that information is held to a very rigid standard in order for your business to be approved for PCI Compliance. Let me provide you an example scenario, if you are running Magento Commerce Community Edition and use authorize.net (or similar payment gateway) – that means that your Magento Commerce install is “in scope” of needing to pass certain standards for PCI Compliance. Which means, depending on your level, you may need to have that system pass a strict PCI audit. An interesting statistic – out of the hundreds of eCommerce platforms available on the market, only a handful have passed PA-DSS certification (which is the certification given to software that has passed this rigorous screening). It’s an expensive, time consuming process that software companies don’t even want to get into on their own platforms – so the general consensus is – you do NOT want to go down a path of putting your software through a PCI audit.
How to Be PCI Compliant on Magento
You have a few options on how to achieve PCI Compliance – but it might require some changes to how you handle credit card processing. Take note of Magento Professional and Enterprise Editions – Magento did not make the software itself PA-DSS certified. Instead, they created a separate platform, dubbed “Payment Bridge” that handles all credit card processing, and this stand-along system is PA-DSS certified. And by using this for processing credit card transactions, the onus is no longer on the eCommerce platform, but specifically on the processing system (Payment Bridge). There are many reasons for this, but it basically allows Magento to have some creative liberties with the platform and not have to jump through hoops with every upgrade in ensuring that each release gets re-certified.
Currently, Payment Bridge is not available for Community Edition, but there are several options for achieving PCI Compliance on Magento:
- Use only hosted payment methods (paypal express, cybersource hosted order page, authorizenet SIM) – and you’re out of “PCI scope” – meaning you don’t have to have your software be PCI Certified because you’re not storing any credit card information locally or processing any transaction on your server.
The downside: You are redirected to another site, which is not really a seamless solution and the Conversion expert in us would advise against this. Or, Magento currently has on their roadmap to integrate with Cybersource Silent Order Post – which would be the most seamless of these options.
- Use a SaaS PCI compliant payment application like CRE Secure – which again puts your out of “PCI scope” again because the actual credit card processing happens offsite on someone else’s server that is already PCI Certified. This service essentially serves up the checkout page from their server and processes the transactions there. Best yet, it supports 4 of the primary payment gateways used today with Authorize.net, Paypal, Chase Paymentech, and Payleap so you can most likely stick with your current merchant services provider.
The downside: Unfortunately, the URL does change with this service, so while the form may look consistent with the site (which is an improvement over #1) – the URL does change which could cause some checkout confusion with your users and possible cart abandonment.
- Use our Magento Payment Bridge solution (on-premise small payment application, PA-DSS compliant) – you’re out of “PCI scope” with Magento, and the Payment Bridge (smaller, simpler, separate app) solution is the software that needs to be compliant – which it already is. This is available free of charge with Enterprise and Professional Editions of Magento and would require an upgrade from Community Edition. There are some technical requirements in PCI compliant hosting for the website, and two additional servers (web + db) that are secured and separate from the store. It does support the major gateways: authorize.net, payflow pro, paypal direct (us & uk) and of all of the options mentioned thus far, has the most seamless user experience by integrating the payment form from the MPB server and embedding that into an IFRAME into Magento checkout.
The downside: Unfortunately, there is more significant cost involved here than the three aforementioned solutions.
- If you treat Magento with any payment method (like you are most likely doing now) it will depend on your merchant level which can range from tier 1 (over 6 million transactions) where this would be considered a custom solution and thus a PCI assessment of the whole system is required for PCI Compliance. On the opposite end of the spectrum, if you’re processing less than 20K eCommerce transactions per year then you fall into a tier 4 where you can get by with as little as an annual Self-Assesment Questionnaire (SAQ) and a quarterly scan of your server. If you already have McAfee Secure then you should also have access to their PCI scan and certification service, if not, there are a variety of companies out there that provide this service.
The downside: This can be a time consuming, confusing process. If you fall into tier 3 or 4, this can be the most cost effective option, but tiers 1 and 2 can be enough to warrant considering looking at the other options above.
PCI Compliance Enforcement
The most confusing aspect of determining how you can become PCI Compliant is the enforcement of it. This is an industry wide regulation handed down by credit card companies but enforced by merchant services providers – many of whom don’t even understand how to enforce it themselves. Which leads to “well my MSP said all I need to do is this” and hence, eighteen different answers to the same question.
At the end of the day, this is an issue not specific to Magento Commerce. All merchants on all platforms have to face this same battle, and many of them have fewer options than this. PCI Compliance was brought down upon merchants by credit card companies to help protect the data of cardholders and protect against fraud, which overwhelmingly happens at the small business level (according to Coalfire up to 90%) so it’s not surprising that this process is costly, and time consuming especially for small businesses. Over time I feel that some better options will present themselves, but in the end, removing the processing of credit card processing from your server, in some shape or form, is going to be the easiest, most cost-effective solution for small to medium sized merchants while still providing the security and data protection that credit card companies are looking for.
Some additional helpful information:
- PCI Compliant Hosting article at Crucial
- Magento PCI Compliance Overview
- PCI DSS Standard
- Magento PCI Webinar Recap
If you have additional insight to share about your experiences with PCI Compliance on Magento, please, join the conversation.