Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Is the Professional Edition Automatically PCI Compliant? 
 
Migla
Jr. Member
 
Total Posts:  10
Joined:  2011-02-15
 

Would there be anything else I’d need to do to keep it PCI compliant?  Thanks.

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

Hi there!

There’s a few things you have to meet before you can be considered PCI compliant. You’ll need to make sure all ports except 80 and 443 are blocked. Your host should be able to help out with this.

Most stores with PE/EE will want to be PA-DSS compliant, which has extra requirements:

Build and Maintain a Secure Network

REQUIREMENT 1: Install and maintain a firewall configuration to protect cardholder data
REQUIREMENT 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data

REQUIREMENT 3: Protect stored cardholder data
REQUIREMENT 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program

REQUIREMENT 5: Use and regularly update anti-virus software
REQUIREMENT 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures

REQUIREMENT 7: Restrict access to cardholder data by business need-to-know
REQUIREMENT 8: Assign a unique ID to each person with computer access
REQUIREMENT 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks

REQUIREMENT 10: Track and monitor all access to network resources and cardholder data
REQUIREMENT 11: Regularly test security systems and processes
Maintain an Information Security Policy

REQUIREMENT 12: Maintain a policy that addresses information security

These are rather general, but there’s an actual PA-DSS datasheet showing exactly what you’ll need to do:

https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf

 
Magento Community Magento Community
Magento Community
Magento Community
 
Turnkeye
Enthusiast
 
Avatar
Total Posts:  908
Joined:  2008-12-20
URL: turnkeye.com
 
Migla - 10 March 2011 12:09 PM

Would there be anything else I’d need to do to keep it PCI compliant?  Thanks.

Magento Pro is PA-DSS compliant.

As for PCI - even Magento community is PCI compliant, if you have good hosting plan.

 
Magento Community Magento Community
Magento Community
Magento Community
 
jmws
Jr. Member
 
Total Posts:  19
Joined:  2010-11-06
 

What do you mean by good hosting company?

 
Magento Community Magento Community
Magento Community
Magento Community
 
SimpleHelixcom
Enthusiast
 
Avatar
Total Posts:  906
Joined:  2007-08-31
Huntsville, AL
 

Hello,

If you’re with a Magento host and they know what they’re doing, they’ve already run PCI lockdowns in the past and will have no problem locking down your account to help pass the initial scan. There may be additional items that need to be fixed, but the host can for the most part lock you down.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Migla
Jr. Member
 
Total Posts:  10
Joined:  2011-02-15
 

The cost of the professional version is 3,000 a year flat, correct?  With the community edition and a GOOD hosting company and full PCI compliance, can you estimate a typical yearly cost?

Thanks!

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top