Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Page 1 of 2
Anyone know whether or not Magento CE need to be PA-DSS approved by the July 1st deadline? 
 
AmandaRecord
Jr. Member
 
Total Posts:  2
Joined:  2010-02-27
San Diego, CA
 

Hello All,

I am leading a project for a retailers e-commerce site using the Community edition. We will be using CRESecure to take care of our checkout being PCI compliant. But what I am still worried about is Magento CE being PA-DSS validated. Magento CE wouldn\’t need to be PA-DSS validated as long as it doesn\’t store any of the payment/cc information. Can any of you shed any light on how Magento Community handles the transaction - does it store any of the cc info or is everything passed to the 3rd party payment gateway (ex- authorize.net) and so CE doesn\’t need to be PA-DSS approved? I\’d really appreciate any help. Magento has been pretty unresponsive to my email, tweets, etc.

Amanda

 
Magento Community Magento Community
Magento Community
Magento Community
 
varyous
Sr. Member
 
Total Posts:  221
Joined:  2008-10-18
Russia
 

Its depend on the used payment methods. Some of them save cc info in order, but mostly payment modules only pass cc info to payment gateway
and save only transaction IDs.
From default Magento payment modules only “Saved CC” module save cc information in order

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

I guess I\’m not quite sure I understand what you mean by Magento CE being PA-DSS approved.  You being PCI compliant or not is dependent on how you process credit cards and whether or not your infrastructure is secure.

The level to which you must secure your network depends on whether you store credits and whether the customer ever enters in any credit card information on your site.

A couple of scenarios to help explain the different levels:

- A customer adds items to their cart on your site.  When they click \"checkout\" they are redirected outside of your site to something like google checkout.  At no point does a customer enter in credit card information while on your website.  In this scenario you would need to pass SAQ \"A\".

- A customer adds items to their cart on your site.  When they click \"checkout\" they remain on your site and fill in their personal information including their credit card information.  When the user clicks submit, the credit card information is sent to an Authorizer (like Authorize.net) who returns a unique token id for you to reference.  At no point do you ever store the credit card (encrypted or not) or the CVV2 value.  By \"at no point\” I mean never, not for a milisecond, not for 10 minutes until you can process it manually.....never.  You may store a masked PAN (4xxxxxxxxxxxxxxx1111).  In this scenario you would need to pass SAQ \"C\".

- A customer adds items to their cart on your site.  When they click \"checkout\" they remain on your site and fill in their personal information including their credit card information.  When the user clicks submit, you encrypt the credit card and then store it in the database.  You may store it for 5 minutes until someone can manually try to process it in the cart or you may pass the encrypted card data to a system at your office to be processed.  Either way, simply by inserting it into a database you instantly fall under SAQ \"D\".

You may want to take a look at this thread:
http://www.magentocommerce.com/boards/viewthread/184526/

I also suggest calling your Authorizer.  It is in their best interest for you to be PCI compliant and they may be able to help walk you through what your requirements are (as you are a client of theirs).

 
Magento Community Magento Community
Magento Community
Magento Community
 
truetechsupport
Jr. Member
 
Avatar
Total Posts:  26
Joined:  2010-05-04
Minnesota
 

You can use the Authorize.Net SIM method via this extension to process credit cards on Authorize.Net\’s website rather than yours. It\’s a much more reasonable solution than CRESecure.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 

Fr0x -

PA-DSS, Payment Application Data Security Standard is a very important part of PCI Compliance and is definitely ingrained into the compliance mandates.  July 1, 2010 was the deadline and CE is not, and likely will not be PA-DSS compliant anytime in the near future - PA-DSS is soon to be available on the PE and EE products.

For Magento Application users we strongly suggest that you view the following PCI Compliance webinar recently released by Varien as it covers PA-DSS and PCI Compliance levels very well.  You WILL learn something from this webinar and I promise it will not be a waste of time.

http://www.magentocommerce.com/media/webinar-archive/pci-compliance-101-for-magento-merchants-presented-by-magento-and-coalfire-/view

Hope this information is useful.

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

PA-DSS, Payment Application Data Security Standard is a very important part of PCI Compliance and is definitely ingrained into the compliance mandates.  July 1, 2010 was the deadline and CE is not, and likely will not be PA-DSS compliant anytime in the near future - PA-DSS is soon to be available on the PE and EE products

Actually, the PCI Compliance has nothing directly to do with PA-DSS.  An application that is PA-DSS is much easier to become compliant with but nowhere in any of the PCI SAQ documents is there a requirement for PA-DSS.  In fact, the only mention of PA-DSS is in regards to whether or not you store credit card information.  PA-DSS is just a certificate whose main point is that the application does not, at any point, store credit card information.  A base Magento install does not do this.  You can be PCI compliant *without* a PA-DSS certified system.  You just have to know enough about the system to appropriately fill out the given SAQ.  Even if you do store credit cards with a plugin or edits to Magento, you can STILL be PCI compliant....it’s just a much larger road to go through filling out SAQ D (much much much larger).

Even if Magento CE was PA-DSS certified, that doesn’t mean you are PCI compliant.  You can just fill out a bit more of the SAQ without having to know detailed information about the system (ie, if its PA-DSS certified, you can easily check off that you aren’t storing credit card numbers instead of having to look through the code to make sure you aren’t).

Becoming PCI compliant is two things....
Filling out the proper SAQ (and being compliant on all the points within it).
Doing a quarterly scan on your network.
(this is slightly different if you are a level 1 or 2 merchant, but I’m guessing if you are looking in here for answers, you aren’t that big).

Just would hate for people to get hung up on the PA-DSS portion (and the fact that Magento CE is not PA-DSS certified) and then not go through with their actual PCI-Compliance.

As always, talk to your authorization service.  They will help you and steer you in the right direction.  They want you PCI Compliant more than anyone.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 

I agree with everything you’ve said here and you are dead on with your comments.  I would like to point out one thing, however;

fr0x - 15 July 2010 06:53 AM

Actually, the PCI Compliance has nothing directly to do with PA-DSS.  An application that is PA-DSS is much easier to become compliant with but nowhere in any of the PCI SAQ documents is there a requirement for PA-DSS.  In fact, the only mention of PA-DSS is in regards to whether or not you store credit card information.  PA-DSS is just a certificate whose main point is that the application does not, at any point, store credit card information.

There could be some confusion here, due to the fact that a PA-DSS certified application may not retain full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data - however, requirement 2 does state that the PA-DSS certified application must “Protect stored cardholder data”, which ultimately implies that cardholder data can be stored, however must be done so in a way that fully protects that stored cardholder data.  Slightly different than “the application does not, at any point, store credit card information.”, which may be a slight over statement and I dont mean to nit pick, but to simply be clear. 

Gleamed from: https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf

A base Magento install does not do this.  You can be PCI compliant *without* a PA-DSS certified system.  You just have to know enough about the system to appropriately fill out the given SAQ.  Even if you do store credit cards with a plugin or edits to Magento, you can STILL be PCI compliant....it’s just a much larger road to go through filling out SAQ D (much much much larger).

Absolutely correct - a merchant should do everything possible to not store or transmit cardholder data to avoid SAQ-C & SAQ-D certification, which most retailers here would simply not be able to achieve financially or technically speaking.

Even if Magento CE was PA-DSS certified, that doesn’t mean you are PCI compliant.  You can just fill out a bit more of the SAQ without having to know detailed information about the system (ie, if its PA-DSS certified, you can easily check off that you aren’t storing credit card numbers instead of having to look through the code to make sure you aren’t).

Unless, of course, the payment application is storing credit card information, just not magnetic stripe information and CCV data.

Becoming PCI compliant is two things....
Filling out the proper SAQ (and being compliant on all the points within it).
Doing a quarterly scan on your network.
(this is slightly different if you are a level 1 or 2 merchant, but I’m guessing if you are looking in here for answers, you aren’t that big).

Well said - With the major point being a firm understanding of which SAQ the merchant should fill out.

Just would hate for people to get hung up on the PA-DSS portion (and the fact that Magento CE is not PA-DSS certified) and then not go through with their actual PCI-Compliance.

ALL merchants MUST be PCI Complaint regardless of their SAQ or Type.  If your websites accepts payments in any form or fashion, you are fully responsible for being PCI Compliant, the only way around this is to simply not accept credit cards *gasp*

As always, talk to your authorization service.  They will help you and steer you in the right direction.  They want you PCI Compliant more than anyone.

[rant]
Heh - I often wonder about this one.  Is it *really* in the payment acquirer’s best interest for all merchants to be PCI Compliant?  I must imagine that the acquirer’s would much rather hand the costs of a security breach off to the merchant rather than absorb those costs themselves.  I’ve often felt that this may be the main reason why PCI Compliance has really not effected many merchants to date even though PCI Compliance has been mandated for many years.  It’s a very easy way for the acquirer to ‘pass the buck’ by just not making a big deal of it, until the breach occurs.

I’ve also found that many merchant providers are clueless when it comes to compliance issues - I’ve dealt with a few that simply said, “pass the scan and your good’ - this is obviously false and misleading information, but we see it everyday from clients.

Ultimately, I think PCI-DSS is crap and merely a way for the Payment Card Industry to milk more money out of merchants.  If they really wanted true security, the card itself would be changed and things like PIN numbers would be instituted instead of printing every piece of information necessary to steal an identity and card information directly on the card itself.  Not much different that the Debit Cards in use today.  Heck, even the signature is on the back of the card 9 times out of 10… This is just dumb.
[/rant]

Excellent points Fr0x and I enjoy your posts - keep up the great work.

 
Magento Community Magento Community
Magento Community
Magento Community
 
kulturshock
Jr. Member
 
Total Posts:  29
Joined:  2009-11-30
 

The July 1st deadline applies to US and Canada merchants. It does not yet apply to the rest of the world. This deadline requires that any merchant who stores, processes or transmits card data to be be PCI compliant. It further requires that unless they use a bespoke payment application, the payment application must be a PA DSS certified application. Magento is not a PA DSS certified application. Thus the implication is you CANNOT remain PCI compliant if you continue to use Magento and process, store or transmit credit cards.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 

Unless, of course, you’re talking about SAQ-A PCI Compliance since the Payment Application (PA) is done by a third party, ie Paypal, Google Checkout, etc.  In which case, you are neither processing, storing nor transmitting card holder data.

In the SAQ-A Type 1 Magento’s PA-DSS compliance is irrelevant.

http://www.crucialwebhost.com/blog/ecommerce-pci-compliant-hosting/#type-1-saq-a

 
Magento Community Magento Community
Magento Community
Magento Community
 
Sigma Infosolutions
Jr. Member
 
Avatar
Total Posts:  2
Joined:  2010-07-16
 

Version :magento.1.4.x. It will have default order export functionality compare to older version. With present version we need to download extension to do order export. Therefore Its better to use magento 1.4.x for new features.[/size]

 
Magento Community Magento Community
Magento Community
Magento Community
 
bj0rn
Member
 
Avatar
Total Posts:  37
Joined:  2008-06-16
 

There are way too many differing points of view on this topic to make any sense of the way forward! As a Magento merchant using Authorize.net, it sucks there is no authoritative voice coming from Varien saying “this is what you have to do”! But I suppose that’s what Payment Bridge is?

 
Magento Community Magento Community
Magento Community
Magento Community
 
TWDesign
Member
 
Total Posts:  38
Joined:  2009-10-31
 

If your only medium of credit card transaction is online AND the handling of the the credit card information is outsourced to a 3rd party via PayPal Standard or Google Checkout or similar, you don’t need to worry about PCI or PA-DSS. So you can happily keep using Magento CE in that scenario.

Simple English PCI and PA-DSS guide

 
Magento Community Magento Community
Magento Community
Magento Community
 
bj0rn
Member
 
Avatar
Total Posts:  37
Joined:  2008-06-16
 

Yeah but from a user-experince point of view, who wants to push people offsite to checkout?

From what I understand, PCI compliance is possible with community edition using the built in Authorize.net support… You just have to be able to pass SAQ-C. Can anyone confirm that?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 
Neuraxial - 22 July 2010 06:12 PM

From what I understand, PCI compliance is possible with community edition using the built in Authorize.net support… You just have to be able to pass SAQ-C. Can anyone confirm that?

Yes I can confirm this, assuming you will only be ‘transmitting’ card holder data and not storing card holder data then you ‘just’ need to be SAQ-C compliant.

The ‘just’ part may be a bit of an understatement.  SAQ-C is very difficult and likely will be both technically and financially out of the range of most merchants.  Just the hardware alone required for SAQ-C compliance could cost thousands of dollars per month to lease - you could buy the hardware and colocate it, but that’s a much steeper initial investment and you still have the colo costs and the costs to host with a Certified PCI Service Provider.

Take a look at the requirements for SAQ-C, they’re really not much different from SAQ-D.

https://www.pcisecuritystandards.org/pdfs/pci_saq_c.pdf

While you do bring down the costs some with SAQ-C - you still have the dedicated server requirement, among other things.

SAQ-C is no small accomplishment, by any means.  The documentation requirements alone would be technically impossible for most small merchants.

=================================================================
Self-Assessment Questionnaire C

- Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

- Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4:  Encrypt transmission of cardholder data across open, public networks

- Maintain a Vulnerability Management Program

Requirement 5:  Use and regularly update anti-virus software or programs

Requirement 6:  Develop and maintain secure systems and applications

- Implement Strong Access Control Measures

Requirement 7:  Restrict access to cardholder data by business need-to-know

Requirement 8:  Assign a unique ID to each person with computer access

Requirement 9:  Restrict physical access to cardholder data

- Regularly Monitor and Test Networks

Requirement 10:  Track and monitor all access to network resources and cardholder data

Requirement 11:  Regularly test security systems and processes

- Maintain an Information Security Policy

Requirement 12:  Maintain a policy that addresses information security for employees and contractors
=================================================================

Additional information:
http://www.crucialwebhost.com/blog/ecommerce-pci-compliant-hosting/#type-4-saq-c

Hope this helps - It’s not pretty but it’s the facts.

 
Magento Community Magento Community
Magento Community
Magento Community
 
TWDesign
Member
 
Total Posts:  38
Joined:  2009-10-31
 
Neuraxial - 22 July 2010 06:12 PM

Yeah but from a user-experince point of view, who wants to push people offsite to checkout?

Speaking personally, I would not give my credit card details to any Tom, Dick or Harry online merchant.
So in that sense, I ONLY will hand over the money if I can safely transact the detail offsite at a Payment gateway
I recognize , such as PayPal.

I think the whole “3rd party gateway means lower conversions” argument is overstated.
I would love to see if any RECENT empirical research exists to back it up.

And anyway, as Crucial Web points out above, it’s not as if the average small online business
has a choice these days.

 
Magento Community Magento Community
Magento Community
Magento Community
 
bj0rn
Member
 
Avatar
Total Posts:  37
Joined:  2008-06-16
 

Crucial: So in enters Secure Payment Bridge, offering you a way to pass SAQ-C more easily?

TW: Some “average” consumers I’ve talked to give PayPal absolutely no trust… Perhaps the worries about losing conversions ARE overstated, but as long as I see an SSL certificate and some trustmarks I’d always prefer to just type my credit card number in with the merchant, instead of jumping through the hoops of logging into PayPal or Google and selecting the credit card there. To each their own, I suppose… but it sounds like perhaps not, anymore rasberry

Has anyone tried CRE Secure or another outsourced-embedded option?

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top
Page 1 of 2