I’ve been researching PCI DSS since I see posts here and there banging on about needing PCI DSS compliancy if using such and such a payment gateway. I have found some major articles that seem to provide the answers we need.
What is PCI DSS?
From : https://www.paypal.com/uk/cgi-bin/webscr?cmd=xpt/Marketing/merchant/PCICompliance-outside
The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for the protection of payment card data; developed by Visa, MasterCard, American Express, Discover and JCB it provides business best practice guidelines to establish a âminimum security standardâ.
Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?
From : https://www.pcisecuritystandards.org/ (click on FAQ then search for the term “payment gateway")
PCI DSS (payment card requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is a contractual obligation for that third party processor/service provider to adhere to the PCI DSS and that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider’s compliance with PCI DSS via other means, such as via a letter of attestation.
Translation into laymans English:
Your payment provider, e.g. PayPal, Protx, Worldpay must be PCI Compliant if you are using a payment gateway that passes credit card data to them and you need evidence from them such as a contract or a letter of attestation stating that they are PCI Compliant.
How do you configure Magento to meet PCI DSS?
There are a few very important steps to take when implementing Magento in a PCI compliant manner. The main two are:
Do not use the Saved Credit Card module in a production environment (live site).
Do not enable the Debugging profiler in a production environment.
If these modules are implemented the credit card data will be stored in the database, creating further requirements for in order to meet the PCI DSS.
It is important to note that while Magento is an integral part of the chain in obtaining PCI Compliance, it is necessary to implement Magento in a PCI compliant hosting environment. We have given recommendations here on configuring Magento to meet the PCI-DSS. For more information on PCI Compliance please visit the PCI Security Standards Council website ( https://www.pcisecuritystandards.org/ )
Translation into layman’s English:
Your website must be hosted within a PCI DSS compliant hosting environment (server os config, network config, firewall config etc).
Does the PCI Security Standards Council enforce compliance?
From: https://www.pcisecuritystandards.org/ (click on FAQ then click on FAQ at the top)
No, the PCI Security Standards Council will not be replacing the individual brands’ compliance programs. The individual participating payment brands will separately determine what entities must be compliant, including any brand-specific enforcement programs.
Translation to laymans English:
By brand they mean both payment providers like PayPal and also acquiring banks like HSBC or Barclays if using the HSBC Remote Gateway API or the Barclays ePDQ gateway.
Does PayPal or Protx check that you as a merchant are PCI DSS compliant when setting up the PayPal Website Payments Pro UK or the Protx Direct payment gateway Magento extension?
I don’t know. I cannot find the answer on PayPal’s website nor have I attempted it before.
Can someone state what the case is with the last question and whether there is any incorrect information above, please?
I get the feeling that I have missed something major.
We don’t need to be PCI DSS compliant unless a payment provider or the acquiring bank (in the case of HSBC when using the HSBC (UK) Remote API extension) demands it but being PCI DSS compliant helps merchants (you, me, us) avoid liability for fraud that involves our website losing personal data to hackers. And that is unlikely if you implement any SSL certificate and the payment gateway Magento extensions themselves correctly in the first place.
James from West Dunbartonshire