Magento

Have questions on implementing Magento in a PCI compliant manner? Submit your questions to the Magento team and Rackspace in this wiki post.

http://www.magentocommerce.com/wiki/pci_compliance_-_questions_and_answers_with_magento_team_and_rackspace

A participating PCI Security Standards Council Member and a Level – 1 PCI Service Provider, Rackspace provides businesses with hosting solutions for mission-critical deployments. To learn more about the ways Rackspace can help your business we invite you to do so on their site.

And if you have questions about the need for a firewall or implementing a separate server for your database, or maybe you have questions about the recent changes in PCI-DSS v1.2, please submit your questions and the Magento team and Rackspace will answer questions in a post here on the Magento blog.

why were those questions never answered?

Great questions, but no answers!

Hi All,

I was wondering where PCI Data Security Standard (PA-DSS) adoption and compliance was at for the Enterprise edition?

Also, what are the implications for Community Edition user of not meeting/not complying with PCI Data Security Standard (PA-DSS)?

For Community Edition users will it be sufficient to use a hosting service that complies with the PCI Data Security Standard (PA-DSS)?

Finally, is non-compliance with PCI Data Security Standard (PA-DSS) a very serious sleeper issue with massive implications that could blow up in our faces or could such conclusions merely be dismissed as scaremongering?

I look forward to reading answers to the questions above and learning more about what PCI Data Security Standard (PA-DSS) means for us all.

Many thanks in advance.

MX

if u encourage to make questions, at least answer them

Thanks

Anyone able to answer this question?

A new Enterprise edition has been released, is there a timeline for an upgrade to the open source version?

Hi,
I would like to know when magento community edition would become pci compliant? Is there a plan to do it at all?
Thanks
Thylaksoft

I see some people asking about what to do for PCI for Magento Community Edition. I hope this is appropriate to post here…

CRE Secure has released a PCI solution for Magento Community Edition that is now the official PCI solution for Paypal Pro merchants, press release will be hitting the airwaves soon.

We have started a group and will be blogging about the module and our partnerships.
http://www.magentocommerce.com/group/blog/action/viewpost/1213/group/388/

We will be posting our module to the Magento Connect in the days to come.

You can check us out at [url=http://www.cresecure.com]http://www.cresecure.com[/url].

It seems to me that this thread, like many on the internet, and the wiki post, both miss the point entirely.

A software program cannot be PCI compliant. It is the merchant that has to be PCI compliant. A software program CAN be PA-DSS approved and Magento enterprise edition is (or soon will be) PA-DSS approved.

I do not know if the community edition of Magento will ever be PA-DSS approved.

What does this mean?

For a merchant to be PCI compliant they have to pass a PCI compliance test. This consists of filling in a questionaire correctly and sticking to a set of rules. It also MAY include the need for the site to pass a PCI scan. The questionaire you have to fill in, the need for the scan and the frequency of the scan depend on the number of transactions you do a year and whether your site accepts credit cards or whether you let a third party site host and accept the cards on your behalf.

This means that simply passing a PCI scan does not in itself make you PCI compliant. It is however a good idea that your site is capable of passing a scan.

The PCI rules change each year (basically they are being phased in) and each year the requirements get harder. A key date in the US (and no doubt soon followed elsewhere in the UK) is July 1st 2010 where it is MANDATORY that payment applications are PA-DSS approved.

Some QA assesors will say that Magento is a payment application if it hosts the collection of credit card information. Thus the community edition of Magento cannot be used after july 1st 2010. HOWEVER I have not heard of ANY QA assesor worrying about MAgento IF the credit card collection is hosted and done on the payment gateway. Clearly the merchant MUST ensure that the payment gateway provider is fully PCI compliant.

Some payment gateways allow the use of iframes so that the interface can look seemless and as if it is part of the site’s processing. I.e. fully integrated in the one page checkout.

In the UK if you look at the Sage Pay web site, you will see the different levels of scan, form filling in etc depending upont the type of interface you use. If you use their popular Direct interface they say that you have to pass the scan and fill in the more complex form. They recommend their server interface which it is much easier to gain PCI complance. Sage do not as yet meantion PA-DSS approval of payment applications, so I assume from this thatthe UK is not pushing this requirement YET.

Hi,

We are going to use Authorize.Net as a payment method which is PCI compliance in Magento CE. List of such PSP is given at URL: http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf.

Authorize.Net also renews it every year. Reference URL: http://www.authorize.net/solutions/merchantsolutions/merchantservices/security/

So i think now Magento CE will be PCI compliance as merchant is PCI compliance.. What you say?

Regards,
Shaktisinh.K.Parmar

The simple answer is NO. Just because you use a PCI compliant merchant does not make you compliant. Of course NOT using a PCI compliant merchant means that you are not compliant.

You may well be compliant, so long as you can prove it, answer the questioanaire, and have good policies and procedures.

According to https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_program_guide.pdf

* PA-DSS does NOT apply to a payment application developed for and sold to only one customer
since this application will be covered as part of the customer’s normal PCI DSS compliance review.
Note that such an application (which may be referred to as a “bespoke” application) is sold to only
one customer (usually a large merchant or service provider), and it is designed and developed
according to customer-provided specifications.

* PA-DSS does NOT apply to payment applications developed by merchants and service providers if
used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed
payment application would be covered as part of the merchant’s or service provider’s normal PCI
DSS compliance.

Rather Interesting to read it.

The thing is here, we cannot actually be sure as to whether this information is genuine? More info please.

Turnkeye.com - 09 March 2010 12:34 PM

According to https://www.pcisecuritystandards.org/pdfs/pci_pa-dss_program_guide.pdf

* PA-DSS does NOT apply to a payment application developed for and sold to only one customer
since this application will be covered as part of the customer’s normal PCI DSS compliance review.
Note that such an application (which may be referred to as a “bespoke” application) is sold to only
one customer (usually a large merchant or service provider), and it is designed and developed
according to customer-provided specifications.

*
PA-DSS does NOT apply to payment applications developed by merchants and service providers if
used only in-house (not sold, distributed, or licensed to a third party), since this in-house developed
payment application would be covered as part of the merchant’s or service provider’s normal PCI
DSS compliance.

Rather Interesting to read it.

I don’t think this covers the use of Magento Community Edition though, which is what most people
hear are concerned about. Or if it DOES, it would automatically push the store owner concerned into
being a SAQ D type merchant (not a desirable situation).

Like it or not, the only viable path open for 99% of Magento Community Edition users after 1st July 2010
is to use PayPal Standard, Authorize.net, Google Checkout or some other outsourced card processor.

Clearly the major credit card companies DONT want mom and pop style websites going anywhere
near credit card information.

SIDENOTE: Even if you don’t have a website, even if all you own is an abacus and a card swiper, even if you
only process one credit card transaction a year, you need to read up on the PCI-DSS rules.

I am using PayPal as my payment method on my online store, does my site need to be pci compliant? I’ve heard it costs upwards of 2000.00 to become pci compliant on my end, even though I am only using PayPal....is this true?