X

PCI Compliance for Magento

Posted by | July 22, 2010 Magento Blog | 32 Comments

It’s one of the biggest questions circling the Magento community for quite some time now – will online merchants running Magento Community Edition be able to achieve PCI Compliance?  It comes as no surprise to me that many answers to this simple question were ill-informed, and broadly ranged from flat out “no (you’ll need Enterprise Edition)”, to “yes, piece of cake”.  With many merchant service providers getting down to laying down the law with smaller retailers, this question has become more and more frequent as of late.  And yet still, lots of confusion, and lack of a clear answer.  So let me lay down a definitive answer for you:

“I’m an online retailer running Magento Community Edition – can I achieve PCI Compliance?”  YES

I’m not going to delve into all the details about what is PCI Compliance, and how it relates to PA-DSS, and all of the details involved with achieving PCI Compliant status, or even why you need to be PCI compliant – there’s a myriad of resources that dives into those details of which I will not rehash.  To make matters worse, I’ve heard of inconsistent enforcement of these policies, that are created by the credit card companies themselves, and enforced at the merchant service provider level.  At the end of the day, it is important to understand that PCI Compliance is for your business, the software you run is only one component of becoming compliant, and thus the larger issues and questions at hand are going to involve issues outside of Magento.  Magento itself is not PCI Compliant – software cannot be PCI Compliant.  So the correct context is always referring to your business as being PCI Compliant – not the software. The process for achieving PCI Compliance for your business is also dependent on your sales volume, of which you can fall into one of four levels.

The inspiration of this article started with a tweet about PCI Compliance and Magento CE (Community Edition).  Magento has taken strides to ensure that the Enterprise and Professional Editions are PA-DSS certified through their Payment Bridge thus ensuring the passing of that PCI requirement by merchants running that software.  So this article focuses on the Community Edition – which is where the ambiguity always lied to begin with.  But that tweet grew wings and spawned a number of replies, emails, and discussions from service providers, hosts, and merchants running the software.  It’s a hot topic, that to get an answer to required a great deal of research and discussions with folks from the merchant services sector, to hosting providers, retailers having to walk through this process, and Magento team members themselves.  The following represents the outcome of numerous conversations on this topic, with the hope that this might simplify someone else’s life as they embark on this dreadful journey.  I’m not pretending to be an expert on PCI Compliance, nor should this be considered an absolute truth, but it is a summary of what I’ve learned through the process of achieving PCI compliance for a client of ours running Magento CE.

eCommerce and PCI Compliance

In its simplest form, if you store credit card data in any shape or form – the system in which you are storing that information is held to a very rigid standard in order for your business to be approved for PCI Compliance.  Let me provide you an example scenario, if you are running Magento Commerce Community Edition and use authorize.net (or similar payment gateway) – that means that your Magento Commerce install is “in scope” of needing to pass certain standards for PCI Compliance.   Which means, depending on your level, you may need to have that system pass a strict PCI audit.  An interesting statistic – out of the hundreds of eCommerce platforms available on the market, only a handful have passed PA-DSS certification (which is the certification given to software that has passed this rigorous screening).  It’s an expensive, time consuming process that software companies don’t even want to get into on their own platforms – so the general consensus is – you do NOT want to go down a path of putting your software through a PCI audit.

How to Be PCI Compliant on Magento

You have a few options on how to achieve PCI Compliance – but it might require some changes to how you handle credit card processing.  Take note of Magento Professional and Enterprise Editions – Magento did not make the software itself PA-DSS certified.  Instead, they created a separate platform, dubbed “Payment Bridge” that handles all credit card processing, and this stand-along system is PA-DSS certified.  And by using this for processing credit card transactions, the onus is no longer on the eCommerce platform, but specifically on the processing system (Payment Bridge).  There are many reasons for this, but it basically allows Magento to have some creative liberties with the platform and not have to jump through hoops with every upgrade in ensuring that each release gets re-certified.

Currently, Payment Bridge is not available for Community Edition, but there are several options for achieving PCI Compliance on Magento:

  1. Use only hosted payment methods (paypal express, cybersource hosted order page, authorizenet SIM) – and you’re out of “PCI scope” – meaning you don’t have to have your software be PCI Certified because you’re not storing any credit card information locally or processing any transaction on your server.
    The downside: You are redirected to another site, which is not really a seamless solution and the Conversion expert in us would advise against this.  Or, Magento currently has on their roadmap to integrate with Cybersource Silent Order Post – which would be the most seamless of these options.
  2. Use a SaaS PCI compliant payment application like CRE Secure – which again puts your out of “PCI scope” again because the actual credit card processing happens offsite on someone else’s server that is already PCI Certified.  This service essentially serves up the checkout page from their server and processes the transactions there.  Best yet, it supports 4 of the primary payment gateways used today with Authorize.net, Paypal, Chase Paymentech, and Payleap so you can most likely stick with your current merchant services provider.
    The downside: Unfortunately, the URL does change with this service, so while the form may look consistent with the site (which is an improvement over #1) – the URL does change which could cause some checkout confusion with your users and possible cart abandonment.
  3. Use our Magento Payment Bridge solution (on-premise small payment application, PA-DSS compliant) – you’re out of “PCI scope” with Magento, and the Payment Bridge (smaller, simpler, separate app) solution is the software that needs to be compliant – which it already is.  This is available free of charge with Enterprise and Professional Editions of Magento and would require an upgrade from Community Edition.  There are some technical requirements in PCI compliant hosting for the website, and two additional servers (web + db) that are secured and separate from the store.  It does support the major gateways: authorize.net, payflow pro, paypal direct (us & uk) and of all of the options mentioned thus far, has the most seamless user experience by integrating the payment form from the MPB server and embedding that into an IFRAME into Magento checkout.
    The downside: Unfortunately, there is more significant cost involved here than the three aforementioned solutions.
  4. If you treat Magento with any payment method (like you are most likely doing now) it will depend on your merchant level which can range from tier 1 (over 6 million transactions) where this would be considered a custom solution and thus a PCI assessment of the whole system is required for PCI Compliance.  On the opposite end of the spectrum, if you’re processing less than 20K eCommerce transactions per year then you fall into a tier 4 where you can get by with as little as an annual Self-Assesment Questionnaire (SAQ) and a quarterly scan of your server.  If you already have McAfee Secure then you should also have access to their PCI scan and certification service, if not, there are a variety of companies out there that provide this service.
    The downside: This can be a time consuming, confusing process.  If you fall into tier 3 or 4, this can be the most cost effective option, but tiers 1 and 2 can be enough to warrant considering looking at the other options above.

PCI Compliance Enforcement

The most confusing aspect of determining how you can become PCI Compliant is the enforcement of it.  This is an industry wide regulation handed down by credit card companies but enforced by merchant services providers – many of whom don’t even understand how to enforce it themselves.  Which leads to “well my MSP said all I need to do is this” and hence, eighteen different answers to the same question.

At the end of the day, this is an issue not specific to Magento Commerce.  All merchants on all platforms have to face this same battle, and many of them have fewer options than this.  PCI Compliance was brought down upon merchants by credit card companies to help protect the data of cardholders and protect against fraud, which overwhelmingly happens at the small business level (according to Coalfire up to 90%) so it’s not surprising that this process is costly, and time consuming especially for small businesses.  Over time I feel that some better options will present themselves, but in the end, removing the processing of credit card processing from your server, in some shape or form, is going to be the easiest, most cost-effective solution for small to medium sized merchants while still providing the security and data protection that credit card companies are looking for.

Some additional helpful information:

If you have additional insight to share about your experiences with PCI Compliance on Magento, please, join the conversation.

About Kevin Eichelberger

Kevin Eichelberger is the founder and CEO of Blue Acorn, a premium eCommerce agency helping retailers and brands achieve growth through a data-driven approach. Founded in 2008, Blue Acorn is the byproduct of Kevin’s great passion and knowledge of all things eCommerce. Kevin’s data-driven approach has culminated in a strong, growing business that’s success is closely tied to the success of its clients. When he’s not immersing himself in eCommerce, Kevin works toward expanding Charleston’s tech community by serving as a board member for the Charleston Digital Corridor Foundation, and is also a mentor and advisor to several startups. A business-savvy technologist, you can find Kevin evangelizing about data, optimization and eCommerce.

32 Comments

  • Nice article.. Clears a few thing sup for me.

  • Ambal says:

    there is one more way how to achieve PCI compliance and process credit cards “onsite” – X-Payments PA-DSS certified software by X-Cart. Can be used on the same site where a Magento installation is setup.

  • Greg McGraw says:

    Thanks for the CRE Secure mention in #2, but I wanted to just clarify the ‘downside’. Actually, CRE Secure private labels part of the redirected domain for free (blueacorn.cresecure.net) but can also completely private label the URL (ie., payments.blueacorn.com) by hosting the subdomain DNS in our PCI data center, for a small fee. Larger enterprise clients demand it. Alo, I appreciate your ‘straight talk’ description of the challenges of managing your own PCI compliance. The cost of PCI hosting (2 servers min.) is too often not highlighted and frankly represents the largest cost component. We, along with many industry analysts now, are strong proponents of outsourced payment acceptance mostly because it reduces the business risk associated with a breach along with cost, and not just because it delivers compliance.

  • Fred says:

    We use Mail Order Manager and are looking at options for our online shopping cart (We currently use Sitelink) Do any of the solutions above allow you to import the cc and authorization information into MOM?

  • Kevin says:

    Hi Fred, we’re actually working on a project right now integrating MOM with Magento so we could certainly shed some insight into that process. But in regards to PCI compliance, if you are transmitting any kind of credit card information, there are going to be very strict standards whereby the entire process, from capturing the credit card to storing it in MOM will be held to PCI compliance regulations. There are also third party tools that can provide a token that you can actually use in Magento and MOM and use that as a reference to the transaction as an option.

  • Luke says:

    that really helps, thanks I think I will be staying with a PayPal gateway till I get bigger after reading that. Kinda related question, any recommends for problem solving using Website Payment Pro- PayPal integration and Magento CE 1.4.2.0-beta1 ? having issues and I have waded through the Magento Forum with no love. Appreciate your knowledge, direction and help.

  • David says:

    Thanks Kevin, this has been the easiest article to read through and understand the options available in Magento. I currently use Cybersource SOAP and am interested in knowing more about the Silent Order POST.

  • Andy says:

    In the UK, Sage Pay offer a token system that allows you to keep the customer on your site yet store no restricted credit card data (except momentarily in memory). This still allows you to store last 4 digits of the PAN, the card type and expiry date, so you can operate a ‘saved cards’ feature.

    Ebizmarts are coming close to launching an extension that will integrate all this in Magento – its pretty neat!

    My understanding is that this setup is liable for SAQ-C if you take a strict interpretation of PCI. Roughly, this means you need to know what you are doing, but you can avoid the whole two separate server deal (SAQ-D).

    Security Metrics, working for Barclays who are my merchant services provider, assure me this is SAQ-A, ie simple. It is important to note though that noone at Barclays or SM seem to have a clue about token, and at the end of the day the merchant (not either of them, no matter what advice they provide) is responsible if anything happens (like a server and therefore cardholder data being compromised) so we shall go for SAQ-C I think…

  • Hi Kevin, I second David’s question: what update on CyberSource’s Silent Order Post option and Magento? You mentioned it was in Magento’s roadmap. But ought not a company like yours be able to develop an extension to make it work anyway? Do you have client projects like this that you could elaborate upon?

    Hi Andy, I would like to talk with you more about your experiences. I’m working on a UK project where retailer is also using Barclays and I’m interested in setting up a Magento system with payment tokenisation (possibly CyberSource, but you mention Sage Pay?). Your mention of Ebizmarts extension was helpful. Might you contact me at patrick @ e-business coach dot com ?

  • A follow-up to my comment a moment ago:

    My background is that I spent the last decade building a company around a proprietary ecommerce turnkey hosted package (catalog, cart, CMS, email, etc) for niche merchants in US and UK. After a security breach in ’06, we underwent a VISA mandated audit and were later called the ‘posterchild for how to handle a PCI incident’ by Discover card. Our system then earned Payment Gateway Level 1 PCI cleared status by auditor SecurityMetrics, after much pain and gnashing of teeth. I’m no longer running that business; now a consultant helping others on special assignment. Which is the long way of saying, I’m interested in this topic.

    One detail about PCI: the compliance standard is the same regardless of transaction volume, same for all merchants. If you’re a small merchant, your reporting / certification requirements are less, but your responsibility is the same. Your obligation / potential fines / accountability is the same. Which is why what Kevin and Greg says about encouraging your website to handle card payments in a way that puts it “out of PCI scope” is attractive.

  • Hi Kevin, I have to say this is one of the most complete (and also clear) articles about Magento and PCI Compliance I have come across.

  • Anon says:

    Any insight into how the integration of Authorize.Net DPM impacts achieving PCI compliance with Magento?

  • pci compliance is so complicated! I really wish there was some instructions on how to store customer data properly to comply with pci standards.

  • android says:

    This still allows you to store last 4 digits of the PAN, the card type and expiry date, so you can operate a ’saved cards’ feature.

  • Harish says:

    Hi Kevin,

    Can you please throw some light on how to pass verified CC information from Magento to MOM without breaking the PCI guidelines. The credit transaction would occur after the order is shipped at MOM level. Authorize.net payment gateway is what I am planning to use at MOM and Magento site.

    Regards,
    Harish

  • Kevin says:

    @Harish, you might want to look into using the Authorize.net CIM integration method (instead of the native SIM integration) whereby you would just store a token in Magento and that token could then be passed down to MOM. There are a few extensions that handle CIM – and a blog post here to follow in the next week or two =)

  • Magento creates PCI compliance easier by unscrambling the Magento Secure Payment Bridge appliance from the Magento Enterprise eCommerce stage. This facilitates updates to the heart Magento eCommerce application with new advertising, merchandising and content management capabilities, without having to set through PCI compliance reconsideration of the entire Magento eCommerce platform.

  • Hi Kevin, great post. How does this impact anyone running a Magento Community store out there today? With Enterprise Edition in the upper $10k, or even thinking about switching to a different platform, what is one to do?
    Thanks

    • Kevin Eichelberger says:

      Not much has changed today vs. when the article was written – those on Community Edition can be PCI compliant – EE is not a requirement. It all depends on which tier you fall into but there are many CE implementations able to achieve PCI compliance today.

  • Dale Harris says:

    Hi Kevin,

    Thanks for the great article. It is much more clear and informative than other PCI compliance articles I’ve read, especially in relation to Magento.

    Our website processes mostly purchase orders and a minimal number of credit card orders (only a dozen or so per month). As a state government entity, we must use Cybersource as our payment gateway (due to contract requirements) and must maintain PCI compliance.

    We have been building our website using Magento PE version 1.11.0.0, which we purchased because we knew Payment Bridge would be PCI compliant out-of-the-box. However, I’m not sure how to set up Payment Bridge to interface with the Cybersource SOAP API. At this point, I’m not even sure if it’s possible.

    As you can imagine, as a government entity our business requirements can be very difficult to work around, so any pointers you can provide would be much appreciated.

    Thanks!

    • Kevin Eichelberger says:

      Hi Dale, Payment Bridge requires TWO additional web servers and might be an expensive proposition for you. I’d recommend looking into a tokenization-based approach (not sure offhand if Cybersource supports this), or using a 3rd party solution like CRE Secure that hosts the CC form outside of your Magento implementation. Those are going to be the two easiest ways for you to accomplish what you need (assuming that the Tier 1 won’t cut it for you). Good luck!

  • Dale Harris says:

    Thank you for the response.

    It does appear that Cybersource supports tokenization through their Hosted Payment Acceptance service. Can I assume this approach would work using the Cybersource extension from Magento Connect?

    As an alternative, I plan to find out from our host (Nexcess) what the cost would be to host the Payment Bridge separately. However, I’ve gotten mixed information about whether Payment Bridge is even compatible with Cybersource. Is this something you can shed some light on?

    Lastly, since our usage is low enough to qualify us as a Tier 4 merchant, is any of this even necessary? Is it possible that we can maintain PCI compliance by simply using the Cybersource extension as is, performing an annual SAQ and not storing credit card information?

    I appreciate any insight you can provide.

    • Kevin Eichelberger says:

      Dale, I think the last question you ask is the first place to start. You may not have to go to these depths at all – a server scan and SAQ may be all that you need. The best place to determine exactly what requirements you need to abide by is your bank (and/or your attorney) – the ones that actually process the CCs for you. They should be able to tell you what you need to do, to be PCI compliant for them. At the end of the day, it is the bank that enforces it and since they all do it differently it will largely be up to them.

      The Cybersource gateway from Magento Inc. I do not believe supports tokenization – but there is a 3rd party module from Harper Collins that does (http://www.magentocommerce.com/magento-connect/cybersource-tokenization-credit-card-payment-module-6297.html). This is not an endorsement of that module, but it looks like it may provide what you need.

      Hope that helps!

  • Harish Kulkarni says:

    Good article!! I have been working on a billing product where we uses tokenization concept to over come PCI compiance.Recently started working on magento + PCI compliance .. this article gave me enough details to start with.

    Thanks You.If you could keep on updating on PCI compliance that would be great.

  • Harish kulkarni says:

    Kevin,

    I searched lot on how to enable the payment bridge on Magento.. but didn’t get any info.It would be helpful if any one posts some info here.

    • Kevin Eichelberger says:

      @Harish – The Magento payment bridge is a standalone application that as an Enterprise client, you will be able to download in the “downloads” section of your Magento account on their website. There is also documentation for the installation, setup & configuration. Hope this helps point you in the right direction!

  • Brent Dietrich says:

    Hi Kevin,

    Thank you very much for this article, I have found it very useful.

    In February, 2012, you had responded to a comment from a guest named Harish, regarding CIM’s that would be better than SIM in magento. I tried searching your blog for this topic to and it came up empty. I was hoping you had written about this topic and if so, where could I find it?

  • Confused says:

    Still so confused, note the following:

    “In addition Visa has mandated that merchants only use applications which have been validated as compliant with PA-DSS through their Payment Application Compliance Program (PACP).”

    “The Visa Payment Application Compliance Program (PACP) requires all merchants to be utilizing applications which have been validated as compliant to PA-DSS no later than July 01, 2010”

  • Patrick says:

    Hi, just came across this site as I was searching info about Magento community edition and PCI, it does clear up a lot of things for me. However, I’m just wondering if you could help me here as well, I can see that CE is not PCI compliant and I do not want customers to go off site when they pay, then can I just install a payment gateway plugin, such as eway, so customers can pay on site while it is being PCI compliant? Thanks

Leave a Reply

Your email address will not be published.