If you’re a small business like me, using the Community Edition of Magento and processing credit cards with Authorize.net, you’ve probably been struggling to figure out what exactly it takes to comply with the PCI-DSS requirements.
There seem to be a lot of grey areas with PCI standards – or at least, there are a lot of “grey” understandings. So I’ve been researching like crazy, trying to find a solid answer to what it takes for someone my size.
After wading through the PCI Security Standards Council’s website, reading practically every resource I could find on Google, looking for answers all over this forum, and watching the Magento PCI webinars (PCI 101), I could finally say I understood the PCI requirements, but I still couldn’t figure out what they meant for me. I was still saying, “this doesn’t apply to me because I don’t store cardholder data… because I don’t host the server myself… because I don’t have any employees… because I use an SSL certificate to transmit the data…” on and on. But they were starting to sound like pretty lame excuses, even to myself; I knew I needed professional help.
So I talked to Mark Lucas and Jon Bonham of Coalfire, the Qualified Security Assessors who worked with the Magento development team to certify Secure Payment Bridge as PA-DSS, and who also presented the aforementioned webinars.
Both Mark and Jon are extremely nice, and they summed up my situation quite simply: Because I have complete control over Magento’s code, and because I’m transmitting cardholder data to Authorize.net directly from that code, I need to pass Self-Assessment Questionnaire D.
Whoa! Away went my “can-do” attitude. I definitely can’t handle D – I simply don’t have the technical skills (or time) to even know where to begin, and I certainly don’t have the money to pay someone to manage it for me!
So what’s the alternative? There’s only one alternative for a business my size – outsource, so the responsibility to protect the cardholder data is no longer mine.
Now, PayPal or Google Checkout work fine, but as a branding geek I hate throwing customers out of my store when they pull out their credit cards. So that’s where a service like CRE Secure seems to come in – you can keep your checkout process on your site and keep it looking the same; the only difference is that customers put cardholder data into a form in an embedded iFrame that’s loaded from CRE’s PCI-compliant servers. With Magento and therefore my entire business never touching credit card information, that would put me completely out-of-scope of PCI requirements, and all I have to do is submit an SAQ-A (which CRE even helps you fill out) that says “You can’t touch this! Daa naa naa na na...”
So I’m about to make the jump. The pricing seems fair; especially considering the expense of complying with SAQ-D (thousands), or the cost of the fine if I were ever breached (bankruptcy). Of course, if you’re not worried about keeping your checkout process on-site, you could go with PayPal or Google, avoid the additional monthly fee, and only have to submit the SAQ-A as well.
Now, what about using Magento Professional and its PA-DSS Secure Payment Bridge? From what I understand, it takes a pretty expensive server setup to do that (one server for Magento, one for Payment Bridge), plus the cost of the license. And what do you gain that outsourcing to someone like CRE Secure won’t give you?
So to summarize all this – if you’re a small business trying to figure out PCI compliance, stop wasting your time dreaming you can allow customers to enter credit card numbers directly onto your website. As a small business, there’s no choice but to outsource your credit card data input!