Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

What Small Businesses Need To Know About PCI Compliance
 
bj0rn
Member
 
Avatar
Total Posts:  37
Joined:  2008-06-16
 

If you’re a small business like me, using the Community Edition of Magento and processing credit cards with Authorize.net, you’ve probably been struggling to figure out what exactly it takes to comply with the PCI-DSS requirements.

There seem to be a lot of grey areas with PCI standards – or at least, there are a lot of “grey” understandings. So I’ve been researching like crazy, trying to find a solid answer to what it takes for someone my size.

After wading through the PCI Security Standards Council’s website, reading practically every resource I could find on Google, looking for answers all over this forum, and watching the Magento PCI webinars (PCI 101), I could finally say I understood the PCI requirements, but I still couldn’t figure out what they meant for me. I was still saying, “this doesn’t apply to me because I don’t store cardholder data… because I don’t host the server myself… because I don’t have any employees… because I use an SSL certificate to transmit the data…” on and on. But they were starting to sound like pretty lame excuses, even to myself; I knew I needed professional help.

So I talked to Mark Lucas and Jon Bonham of Coalfire, the Qualified Security Assessors who worked with the Magento development team to certify Secure Payment Bridge as PA-DSS, and who also presented the aforementioned webinars.

Both Mark and Jon are extremely nice, and they summed up my situation quite simply: Because I have complete control over Magento’s code, and because I’m transmitting cardholder data to Authorize.net directly from that code, I need to pass Self-Assessment Questionnaire D.

Whoa! Away went my “can-do” attitude. I definitely can’t handle D – I simply don’t have the technical skills (or time) to even know where to begin, and I certainly don’t have the money to pay someone to manage it for me!

So what’s the alternative? There’s only one alternative for a business my size – outsource, so the responsibility to protect the cardholder data is no longer mine.

Now, PayPal or Google Checkout work fine, but as a branding geek I hate throwing customers out of my store when they pull out their credit cards. So that’s where a service like CRE Secure seems to come in – you can keep your checkout process on your site and keep it looking the same; the only difference is that customers put cardholder data into a form in an embedded iFrame that’s loaded from CRE’s PCI-compliant servers. With Magento and therefore my entire business never touching credit card information, that would put me completely out-of-scope of PCI requirements, and all I have to do is submit an SAQ-A (which CRE even helps you fill out) that says “You can’t touch this! Daa naa naa na na...”

So I’m about to make the jump. The pricing seems fair; especially considering the expense of complying with SAQ-D (thousands), or the cost of the fine if I were ever breached (bankruptcy). Of course, if you’re not worried about keeping your checkout process on-site, you could go with PayPal or Google, avoid the additional monthly fee, and only have to submit the SAQ-A as well.

Now, what about using Magento Professional and its PA-DSS Secure Payment Bridge? From what I understand, it takes a pretty expensive server setup to do that (one server for Magento, one for Payment Bridge), plus the cost of the license. And what do you gain that outsourcing to someone like CRE Secure won’t give you?

So to summarize all this – if you’re a small business trying to figure out PCI compliance, stop wasting your time dreaming you can allow customers to enter credit card numbers directly onto your website. As a small business, there’s no choice but to outsource your credit card data input!

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

Both Mark and Jon are extremely nice, and they summed up my situation quite simply: Because I have complete control over Magento’s code, and because I’m transmitting cardholder data to Authorize.net directly from that code, I need to pass Self-Assessment Questionnaire D.

Unless you are storing credit card data I would highly doubt you fall under SAQ D.

Straight from the PCI “which SAQ am I” doc:
https://www.pcisecuritystandards.org/pdfs/pci_dss_saq_instr_guide.pdf

Merchants with payment application systems connected to the Internet, no cardholder data storage - SAQ C

If you are storing credit card numbers, then I would suggest finding a way to rewrite your system to not store that info.  It may be easier than trying to do SAQ D and, quite frankly, it’s quite a bit less vulnerability on you end.

If you did decide to redirect customers out of your cart and to Paypal (which it doesnt sound like you want to do), you would fall under SAQ A

Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced.

But SAQ C is definately do-able.  You will have to find an approved merchant to do proper scanning and validation of your machine as well as filling out the SAQ document.

 
Magento Community Magento Community
Magento Community
Magento Community
 
fr0x
Member
 
Total Posts:  59
Joined:  2009-05-20
 

A little bit more from that document about SAQ C:

SAQ C has been developed to address requirements applicable to merchants whose payment application
systems (for example, point-of-sale or shopping cart systems) are connected to the Internet (via highspeed
connection, DSL, cable modem, etc.) either because:

1. The payment application system is on a personal computer that is connected to the Internet (for
example, for e-mail or web browsing), or

2. The payment application system is connected to the Internet to transmit cardholder data.

Merchants in Validation Type 4 process cardholder data via payment application systems connected to
the Internet, do not store cardholder data on any computer system, and may be either brick-and-mortar
(card-present) or e-commerce or mail/telephone-order (card-not-present) merchants.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top