Do you have a Magento Community website that accepts credit cards, or are you planning to build one? Then PCI compliance should be at the top of list of things to addresst. A lack of PCI compliance can lead to huge fines – from $5,000 to $100,000. It can also lead to a loss of customers, and even to a loss of your ability to accept credit cards altogether.
To understand if your Magento CE based store is compliant or not, let’s first dig a little bit more into whatPCI Compliance is.
In lay terms, “to be PCI-compliant” means to make all the necessary changes in your store serving a single goal – to secure your buyer’s credit card data. These changes relate not only to your checkout page but to your whole store from your server settings to the payment applications and credit card processing methods you use. There are many steps that the credit card processing industry requires you to take, in order to cut down on the risks of hackers infiltrating your website, or getting access to sensitive payment data.
But how can you achieve compliance?
To help online merchants stay safe, credit card brands such as American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., formed a special council and developed Payment Card Industry Data Security Standards (PCI DSS). All five have incorporated these requirements for their own data security compliance programs and issue non-compliance penalties to the merchants and vendors who ignore the rules endangering their buyers’ sensitive data.
According to the PCI DSS Council, every merchant who accepts and processes online payments is obliged to comply with HUNDREDS of requirements and regulations. Hard to believe? You can download the document here and see it for yourself. Following the regulations, a merchant will achieve these goals:
- Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
Just following the rules is not always enough. It’s very likely that you will need to submit a report of compliance to your bank or merchant services vendor.
Why is it important to be PCI-compliant?
Following these rules, intended to secure your buyers, you’ll secure your business, too. Unless you’re compliant, the consequences can be significant and irreversible for your business:
Huge fines and spendings. If you do not comply with the requirements, one day you could wake up to a 5-digit fine from Visa, Mastercard or your merchant account provider, and keep getting it monthly until you’ve addressed the required issues. In some scenarios, merchants don’t even know that their account has been charged ines. And it’s for PCI non-compliance only i.e., not yet a breach. On top of that, you may also be responsible for legal costs and settlements if any harm is caused to credit card holders due to the PCI Compliance violations that led to a data breach.
Drop in sales and lost revenue. Customers, whose credit cards were stolen from your store will never trust you again. No need to say, they won’t buy anything from you and will persuade others to stay away. Neglecting security will hurt your reputation, and can result in fraud attacks and even more loss of revenue.
Lost business. The responsible person can get demoted or fired in the aftermath of a data breach. The worst outcome for a seller, which is nonetheless a distinct possibility, is going out of business. As a penalty, an online merchant can lose the ability to accept credit and debit cards in essence forcing you out of business.
Complicated and scary? Take it easy. It’s not as bad as it looks.
These scenarios, by and large, only apply to your business if you process online payments directly in your store.
This means that your Magento online shop itself doesn’t necessarily need to comply with all of these requirements if you process payments outside it and do not keep any data related to your customers’ credit cards within your Magento store and hosting server.
PCI Compliance in Magento CE
1) Of course, you could switch to Magento Enterprise and benefit from its Secure Payment Bridge, a payment application certified according to PA-DSS requirements. However, for many small and medium businesses, Magento Enterprise is a cost prohibitive way to go.
2) A good option is using ready integrations with payment gateways that pass credit card data either via direct post API methods or using hosted forms for payment gateways that are compliant with the PCI SSC requirements:
- With Direct Post method, credit card information entered on the checkout page is passed directly to the payment gateway using special methods and never appears anywhere in your store or on your server.
- With Hosted forms, it’s even easier. The form for entering credit card information is hosted by the payment gateway and is just built into your checkout page via an iframe, which also creates an impression that a customer never leaves the store to complete the payment.
As a rule, a merchant enables one or two of such integrations in the store and starts accepting credit cards in a PCI compliant way – no fuss, no muss.
Unfortunately, not all payment gateways can be used following this approach due to some technical peculiarities and will require certification of your whole store following the procedures mentioned above, not to speak of hours of your programmer’s work spent to set up the integration.
3) To avoid restless nights and headaches related to PCI-DSS issues in this case, you can use an application called X-Payments. It’s PA-DSS certified system and is fully compatible with Magento. In many ways, it’s similar to using the Secure Payment Bridge that Magento offers with Magento Enterprise licenses. Having installed the X-Payments app, you get instant access to dozens of payment gateways and all you need to do is to add your merchant account details and address a few simple settings to enable the payment methods in your store.
An outstanding feature of X-Payments is that it enables not only PCI-compliant processing of credit cards but also saving and reusing them by customers and store administrators. It’s very convenient for buyers as they don’t need their card each time they shop in your store – they can simply use a saved credit card that they’ve put on file. X-Payments automates subscriptions and recurring payments and offers other tools and features to help you increase checkout conversions and improve transactions management in your online store. BTW, a free trial is available to see if this awesome app fits your business.
When it comes to securing your overall Magento store, a Magento Agency like Rand Marketing can assist with Magento security patches and upgrades, SSL’s, security scans, and other best practices to help keep hackers out of your store. Even if you don’t accept credit cards, you don’t want to risk downtime, destroyed customer relationships, and other hardships that having your website compromised can cause.
To sum up, whether or not your Magento CE based store is PCI-compliant depends on you. Since Magento Community Edition is open source, you can integrate it with the desired payment gateway and configure payment processing and storing customer sensitive data right in your Magento store but invest months to make your site safe and get PCI certified. Instead, you can make it easier and either redirect customers to the payment gateway side to complete an order or use a powerful third party application that will ensure PCI-compliance for your store.
Be safe. Sleep sound.