Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

July 1 PCI Compliance and PayPal Website Payments Pro
 
jg314
Jr. Member
 
Total Posts:  17
Joined:  2010-05-04
 

Hi,

I am working on a site for a healthcare consulting firm and I am trying to make sure they’ll be PCI Compliant for the July 1, 2010 deadline.

I am planning on using PayPal Website Payments Pro so they can accept credit cards directly on their site and have PayPal process those cards without the customer’s knowledge.  This way we don’t lose customers by sending them offsite and we also aren’t storing credit card numbers.

I spoke with both PayPal and GoDaddy and they both said all we need to be PCI Compliant is an SSL Certificate for sending the credit card information to PayPal. 

Is it true that all I need is an SSL Certificate for them to be PCI Compliant or do I need to take further steps for them?

Thank you.

Jonathan

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

Check the SAQ (self assessment questionnaire) for PCI compliance here:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml

The amount one needs to go through to become compliant is wholy dependent on what they do with the credit card numbers (and then consequently which section they fall under....A,B,C, or D).

If you aren’t storing the credit card ever, you should’nt have to worry about “D” (which is about 73 pages worth of requirements).

My guess is you are falling under either category A or category C.  You may need to consult with someone to determine which one you best fall under.  Section A is defined as someone who’s entire cardholder data functions are outsourced.  I’m not sure if having Magento make calls to paypal means its outsourced or if you would have to have the purchaser go directly to paypay from Magento without Magento ever touching the credit card number (even if its only to send it to paypal).

I’m thinking you will fall under category C by the way you described your setup (having Magento sending payment info to Paypal instead of having the customer go to Paypal and enter the payment info).  A’s requirements are easier but C’s aren’t overly difficult to meet (D’s on the other hand.....)

 
Magento Community Magento Community
Magento Community
Magento Community
 
jg314
Jr. Member
 
Total Posts:  17
Joined:  2010-05-04
 

Hi fr0x,

Thank you for your response.  I was able to determine that we fall under Category C and downloaded the questionnaire.  It appears that I most likely need to check in with my hosting company, but as long as they are using a firewall and virus protection along with encrypting data we should be compliant.

Thanks again for your help.  I really appreciate it.

Jonathan
JG Visual
www.jgvisual.com

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

We also had to apply those standards to our office (as well as our host) as we take orders over the phone too (I\’m not sure if that is applicable in your case).  As long as your client isn\’t doing any credit card processing themselves (whether it be taking an order over the phone or doing credits in their system), you should be good with just applying the SAQ \"C\" to your host.

 
Magento Community Magento Community
Magento Community
Magento Community
 
jg314
Jr. Member
 
Total Posts:  17
Joined:  2010-05-04
 

Hi fr0x,

When you say “doing credit cards in their system”, what exactly do you mean by that?  They are receiving the credit card information on their website, but they will immediately send it over to PayPal for processing without storing it.  Do you think that still makes the SAQ C apply?

Thank you again for your help.

Jonathan
JG Visual
www.jgvisual.com

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

Hi JG,

From everything you’ve described your “worst case scenario” would be SAQ C (with your best case scenario being SAQ A).  Nothing you’ve described would make me believe you would fall under SAQ D.

What I meant by “doing credit cards in their system” was whether they have an in-office system (outside of Magento) that would also do credit card handling.  For instance, your customer may have the website (Magento) and may have a retail store that runs on a different piece of software that handles credit cards.  If that were the case, then they would have to apply the SAQ to both the website server/host and their internal network/point of sale system.  If your client does not do any credit card processing outside of Magento (either through a store or customer service representatives taking phone orders) you shouldn’t have to worry about applying the SAQ to the office environment and only to your Magento host (this is assuming the Magento server is being hosted by someone else and not in your clients office).

My general understanding on the line between SAQ A and SAQ C is this......

If when you click “checkout” in your Magento site and you are immediately brought to another site (like Paypal) where all the credit card information is entered, you could fall under SAQ A.

If when you click “checkout” and you are still within Magento when they physically enter their credit card number and then just the information is sent to another site for authorization (and you don’t store any credit card information within Magento), you would fall under SAQ C.  Even though the credit card information is only “visible” to your Magento server for as much time as it takes for the submit button to be clicked and it sent off to an authorization service, its enough that your server can be a vulnerability and therefore you fall under SAQ C.

If you decide to actually store the credit card information in the DB, then your in a world of hurt and have to follow SAQ D (which it doesnt sound like is an issue with your setup).

I preface this all by saying I’m not a PCI expert and my information is only from currently going through it myself.

 
Magento Community Magento Community
Magento Community
Magento Community
 
jg314
Jr. Member
 
Total Posts:  17
Joined:  2010-05-04
 

Hi fr0x,

Most importantly, I want to say thank you for your response.  I really appreciate it and I know it will go a long way in helping my clients.

As for the compliance, I completely agree with you.  Since we are only going to send the credit card information from the site to PayPal and not store any credit card information in the database, I think we fall under SAQ C.  I’ve downloaded it and will be working over the next couple of weeks to ensure we can follow it using either GoDaddy or JustHost.

Thanks again.

Jonathan Goldford
JG Visual
www.jgvisual.com

 
Magento Community Magento Community
Magento Community
Magento Community
 
bj0rn
Member
 
Avatar
Total Posts:  37
Joined:  2008-06-16
 

I’m trying to figure out where my client stands with PCI, as well. We take credit cards in Magento using Authorize.Net, so nothing is stored on our server. But we also take card numbers over the phone, which are entered into a retail-style credit card machine. Does anyone know if this places us into SAQ D category?

Also, in the SAQ part 2c Transaction Processing asks for “Payment Application in use” and the version - do write in Magento?

And for the Requirements that have to do with network/data security - that’s all on our web host’s back, not ours. Should I write N/A and state that, or just check Yes?

Thanks for any help - what a headache!

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

I’m trying to figure out where my client stands with PCI, as well. We take credit cards in Magento using Authorize.Net, so nothing is stored on our server. But we also take card numbers over the phone, which are entered into a retail-style credit card machine. Does anyone know if this places us into SAQ D category?

It really depends on how those credit cards are handled on the phone side.  I know some brick and mortar type systems will just transmit the card information over the phone line.

The information here will determine where you stand:
https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions

You may only have to worry about SAQ B if:
- Imprint-only merchants with no electronic cardholder data storage
or
- Stand-alone terminal merchants, no electronic cardholder data storage

In both of these cases, the terminals are not connected to the internet (either imprint only or over a telephone line).

Once you hit “Merchants with POS systems connected to the Internet, no electronic cardholder data storage “ you are instantly in C.

Now if their phone ordering system stores the credit card information at any point for any amount of time (encrypted or not) then you are going to be falling into category D.

The one thing I’m not sure about is if you have your two systems (website and phone) and if they fall under different SAQs, can you apply say SAQ B to your phone system and SAQ C to your website or, if one of your systems is in a higher SAQ, do you have to apply that higher SAQ to both.

Because you are taking credit cards in two systems though, you will most certainly have to apply a SAQ to both your website system and the phone ordering system.

Also, in the SAQ part 2c Transaction Processing asks for “Payment Application in use” and the version - do write in Magento?

If it’s a built in plugin, I would include Magento and your current version.  If it’s a seperate plugin, you may have to include some information on that plugin.

And for the Requirements that have to do with network/data security - that’s all on our web host’s back, not ours. Should I write N/A and state that, or just check Yes?

Yes and No.  Because you state that the customer takes credit cards over the phone, it is also on the back of your clients network where these phone orders are being placed as well.  As for your website side, part of it is on the web host’s back.  Firewall settings on the server that are under your control are on you.  Access controls to the server room and other things out of your control are obviously on the host.  Before putting in “Yes” you will want to make sure that the host *is* PCI compliant.

As I put in another post above, I’m certainly no expert on the subject and you may want to consult an expert before submitting anything (especially as it isn’t clear what needs to be done for the phone ordering system).  You may be able to give Authorize.net a call and get some questions answered from them for free (as you are a customer of theirs and it is in their best interest that you are PCI compliant).

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top