PCI DSS like mosts standards associated with the internet is over complicated, poorly implemented and isn’t understood by most online businesses so we’ve put together a document to help explain what it is, why it exists and what’s involved in becoming PCI compliant using normal people’s language, not computer jargon.
Our full guide to PCI Compliance can be downloaded below and there’s more information on the ofﬁcial Website is https://www.pcisecuritystandards.org:
In a nutshell PCI Compliance is a standard set by the payment card group (a combination of different credit card companies) in order to reduce fraud in the industry.
The standard was created to help organisations that process card payments prevent credit card fraud, through increased controls around data and its exposure to compromise. The standard applies to all organisations which hold, process or pass cardholder information from any card branded with the logo of one of the card brands.
Validation of compliance depends on the volume of card transactions your organisation is handling and compliance must be assessed annually. If you are handling large volumes of transactions you must have your compliance assessed by an independent assessor known as a Qualiﬁed Security Assessor (QSA). Companies handling smaller volumes have the option of self-certiﬁcation via a Self-Assessment Questionnaire (SAQ).
As a non-compliant company who maintains a relationship with one or more of the card brands, either directly or through an acquirer you risk losing the ability to process credit card payments and there can be steep ﬁnes (over £100 per card stolen) if you are not PCI Compliant.
For most businesses PCI Compliance only really becomes a factor if you are processing card details so below are the key steps in keeping your Magento eCommerce site compliant.
Keeping Your Magento Shopping Cart PCI Compliant
- First read the guide above
- Make sure your customer checkout and Admin is SSL Encrypted
- Keep your shopping cart updated to the newest version to protect from SQL Injection hacks, and other security breaches. Updating your shopping cart should take from 1 – 3 hours depending on the number of customizations you have installed.
- Provide different access levels and logins to the different people that use the administration section of your website. Don’t provide people access to customer credit card information that doesn’t need it (i.e. employees that update product info or website articles).
- Do you really need to store your customer’s credit card data? Usually not – try to avoid this. It reduces your risk. You only really need to have the customer credit card data entered on the payment screen and sent immediately to your payment processor. Your payment is then authorised/captured, and you don’t need to store that data any longer.
- Never store CVV credit card information (3 to 4 digit code on the back of the credit card).
- If you must store customer credit card data for recurring billing or other applications, many payment processors now offer a service where they store the credit card data, and your shopping cart accesses and bills customers using an API (method of communication). This means that you are no longer responsible for storing that data and don’t have that liability. We fully recommend this solution. Imagine the liability and damages to your company if your customer’s credit card data was stolen.