Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Magento with Google Checkout/Paypal only.. PCI compliant? 
 
Migla
Jr. Member
 
Total Posts:  10
Joined:  2011-02-15
 

If I set up a Magento store (community edition) and only take Google Checkout/Paypal/Amazon payments, would my site be PCI compliant?

And besides the slightly higher fees for using those services, are there any drawbacks to doing that?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Migla
Jr. Member
 
Total Posts:  10
Joined:  2011-02-15
 

Anyone know the answer?  This is regarding the community edition.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Crucial Web Host
Guru
 
Avatar
Total Posts:  364
Joined:  2007-11-08
Phoenix, AZ
 

The would be SAQ A Level 1 compliance. 

Your third party card processor (paypal, etc) may require you to pass a quarterly PCI scan.  Your Magento CE will have no problems (unless you’ve made modifications that are picked up by the scan).  This is up to the third party processor and you would want to check with each of them to see if it is something they require.

This scan will also scan the hosting server that you are on for problems.  You may need to work with your hosting provider to resolve those issues.

Lastly, you may or may not be required to fill out SAQ A (Self Assessment Questionnaire) - here’s the document;

https://www.pcisecuritystandards.org/docs/pci_saq_a.doc

For some more information on PCI Compliance you may want to give the following article a read as it covers each type and the necessary requirements.

http://www.crucialwebhost.com/blog/ecommerce-pci-compliant-hosting/

Hope this helps and best of luck with your store!

 
Magento Community Magento Community
Magento Community
Magento Community
 
stevenhickey
Jr. Member
 
Total Posts:  4
Joined:  2011-03-14
 

If it’s a redirect to a hosted payment page with a gateway (customer enters card details onto Google Checkout’s secure pages for instance) then you need not worry.

All of the gateways you mention offer this, however I know PayPal (Pro) also has an API version where your server accepts the card details, then fires them off to PayPal to be processed, keeping your customer on your site all the way through for a more seamless process where customer journey and checkout flow are concerned.

If they are all hosted then so long as your business trades solely online, never coming into contact with card details (more crucially storing them, no matter for how short a time) then you are technically out of the scope of PCI. It can’t apply if you don’t touch card details.

Of course if you accept MOTO orders or process card details manually within the business, then unfortunately PCI is nowhere near as simple as the above… the more you process (the more card details you ‘touch’) the higher the level of certification you need… and it’s not cheap to jump through those hoops and get certified.

It’s all worth mentioning as many ecommerce software providers are finding their users absorbing huge costs to certify to a level which is often too high, often through misinterpretation. There’s an article here which simplifies PCI compliance a little where ecommerce businesses are concerned.

- Steven

 
Magento Community Magento Community
Magento Community
Magento Community
 
jgross
Jr. Member
 
Total Posts:  2
Joined:  2010-02-16
 

Migla and others looking into PayPal PCI Compliance:

Magento’s community edition store is not PCI compliant, however, because you will be using a 3rd party payment processor like Paypal, you won’t be accessing card numbers, making you exempt from PCI DSS. Paypal states, “PayPal is not responsible for PCI Compliance if you store, transmit, or process payment card information…All card data must be stored, transmitted, and processed by PayPal and not by the merchant” (Paypal PCI Compliance).

If your webstore will be taking credit card numbers or sensitive data, storing it, and then shooting that over to a 3rd party for payment processing then you have some PCI compliance liability. Paypal is considered a level 4 PCI-DSS validation type if you are handling credit card numbers and processing payment through PayPal. In this case, Tokenization and Point-to-Point Encryption could be good solutions. This is where the card number becomes encrypted and transmitted to a PCI DSS compliant storage facility. The encrypted card number is also transmitted to the 3rd party for processing. This makes it virtually impossible for hackers to read the actual card number and covers your PCI compliance responsibility.

Hope this helps and good luck!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top