Get In Touch

Get In Touch

01202 237370

Visit Us

Bournemouth HQ

First Floor
8-10 Christchurch Rd
Bournemouth
BH1 3NA

London

10 York Road
Waterloo
London
SE1 7ND

Enquiry Form

PCI Compliance With Magento

  • Written By Adam
  • Posted October 14, 2012
  • 4 minutes Read Time

PCI compliance is an important issue that crops up from time to time: currently, there is a question about how to achieve PCI compliance when running Magento eCommerce software. In particular, this question relates to the Community Edition of Magento, which has fewer features than the Enterprise and Professional Editions.

The question of PCI compliance is a complicated one, but if you want to learn more about it you can do so here among a variety of other online sources.

When it comes to achieving PCI compliance with Magento, the question isn’t simple either. This is large because eCommerce software can’t actually be PCI compliant; only businesses can. No matter what features are available in your eCommerce software, it is still down to you to make sure payments are processed securely, data is kept safe and so on.

However, if you are using either the Professional or Enterprise Magento eCommerce software, you will be able to benefit from the fact that Magento has taken steps to make sure that the Payment Bridge is PA-DSS certified. This means that you will be one step closer to PCI compliance. This feature, though, is not available in the Community Edition of Magento eCommerce software, which is where much of the debate originated in the first place.

This doesn’t mean that you can’t be PCI compliant with this Magento software and there are lots of things you can do to make sure that you are. It’s worth noting for instance, that the software for the Professional and Enterprise editions aren’t PCI compliant in themselves – it’s the Payment Bridge feature that is.

One option, particularly for those businesses using the Community Edition software, is to use a hosted payment method. This includes options such as authorize.net and PayPal Express. This then means that you won’t be storing any credit card information or processing any transactions yourself, so you don’t need to make sure your software is PCI certified. This does mean that you would end up being redirected to another site, but if you use Cybersource Silent Open Post, which is on the Magento roadmap, you shouldn’t have too many kinks.

Another option would be to use another PCI compliant payment platform such as Sage Pay. This is a good option as it is much more seamless and means that the payment form should look consistent with your site, even though the URL does change (which could be considered a downside as some customers might abandon their carts as a result). Again, it means that the payment transaction happens elsewhere so your eCommerce software will not necessarily need to be PCI compliant.

For those people using the Magento eCommerce Community Edition, you could also choose to upgrade the software so that you can make use of Magento Payment Bridge because, as already discussed, it is compliant. The downside here is that there is more of a cost involved but it is one of the best solutions to the issue and it also has the advantage of being provided by Magento.

The severity of the steps you will need to take to ensure PCI compliance when you are using Magento will largely depend on how many eCommerce transactions you make every year: simply put, the more transactions you achieve, the more you will need to do to prove your PCI compliance.

This can sometimes be confusing, especially as the enforcement of PCI compliance is not always enforced with uniformity. Depending on which merchant service provider you use, you are likely to get different answers about what you actually need to do. This means it is by no means an issue that is specific to Magento eCommerce software. In fact, Magento actually provides some of the best solutions.

It is an important issue to consider, though, especially for smaller businesses as it’s been estimated that up to 90% of fraud occurs at that level. It can be a complicated and time-consuming issue for small businesses, so overall the best current solution is likely to be to remove the processing of transactions from your server. This means you’ll still be able to provide a secure server but it will give you less of a headache when it comes to the issue of compliance.