i95dev
Blog
 
28Apr, 2015

Magento and PCI Compliance

Author Kevin Category

In the previous two blogs, we spoke in-depth on ‘PCI compliance’ and ‘Benefits of PCI Compliance’. In this blog, we will more specifically focus on Magento (the most adopted e-commerce cart) and PCI compliance. Before we dive right into it, a brief on PCI compliance, for the benefit of everyone:

Any website that deals with credit and/or debit cards would have to follow a standard set by credit card companies to become PCI compliant. This policy is related to handling, storing and security of cardholder’s data. This policy has been set in place to limit and eventually stop credit/debit card fraud. In case you are an online merchant and do not wish to comply with this policy, you will be fined heavily. In addition, many banks will not offer you their services if you do not adhere to PCI.

Four Levels of PCI Compliance

Before we get into the details it is important to understand the context here. Magento itself is not PCI Compliant because it is just a piece of software. Your business which uses Magento can be PCI compliant and Magento is one component of it. The process for achieving PCI compliance is dependent on your sales volume

  • Tier 1: More than 6 million transactions per year
  • Tier 2: Transactions between 1 and 6 million every year
  • Tier 3: Less than 1 million transactions every year
  • Tier 4: Less than 20,000 transactions every year

How Magento helps in PCI compliance?

  • Let us look at Magento Enterprise edition as being comprised of two components the Ecommerce Platform and the Magento Payment Bridge.
  • As mentioned earlier Magento in itself is not PCI Compliant, but it assists merchants in meeting PCI compliance with the Magento Payment Bridge.
  • This payment bridge is built to be PCI DSS compliant, which helps merchants in meeting PCI compliance saving them time and money.
  • Another advantage of separating the payment bridge application from the e-commerce platform is that it enables addition of new features to the e-commerce application without having to go through PCI compliance re-assessment of the entire platform.
  • Magento secure payment bridge is not available for Community Edition and part of the subscription for Magento Enterprise.

Magento Community Edition and PCI Compliance

Merchants running Magento community edition have the following options for achieving PCI Compliance

  • Use hosted/ third party payment methods; you are redirected to another site for payments – that way since you are no longer storing the credit card information in your system and you are out of PCI scope.
  • You could also make use of the SaaS PCI compliant payment methods.

Are you on Magento and PCI compliance on top of your mind? What are your thoughts on it? Share your feedback and suggestions by commenting below. Alternatively, you can write to us at info@i95dev.com

No Comments

Leave a Comment

Magento and PCI Compliance