Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

What the hell is PCI DSS and do I need it? 
 
jsdtechnology.co.uk
Jr. Member
 
Total Posts:  10
Joined:  2008-09-28
 

I’ve been researching PCI DSS since I see posts here and there banging on about needing PCI DSS compliancy if using such and such a payment gateway. I have found some major articles that seem to provide the answers we need.

What is PCI DSS?

From : https://www.paypal.com/uk/cgi-bin/webscr?cmd=xpt/Marketing/merchant/PCICompliance-outside

The Payment Card Industry Data Security Standard (PCI DSS) is a set of comprehensive requirements for the protection of payment card data; developed by Visa, MasterCard, American Express, Discover and JCB it provides business best practice guidelines to establish a “minimum security standard”.

Does PCI DSS apply to merchants who use payment gateways to process transactions on their behalf, and thus never store, process or transmit cardholder data?

From : https://www.pcisecuritystandards.org/ (click on FAQ then search for the term “payment gateway")

PCI DSS (payment card requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. However, under PCI DSS requirement 12.8, if the merchant shares cardholder data with a third party processor or service provider, the merchant must ensure that there is a contractual obligation for that third party processor/service provider to adhere to the PCI DSS and that the third party processor/service provider is responsible for the security of the cardholder data it possesses. In lieu of a direct agreement, the merchant must obtain evidence of the third-party processor/service provider’s compliance with PCI DSS via other means, such as via a letter of attestation.

Translation into laymans English:

Your payment provider, e.g. PayPal, Protx, Worldpay must be PCI Compliant if you are using a payment gateway that passes credit card data to them and you need evidence from them such as a contract or a letter of attestation stating that they are PCI Compliant.

How do you configure Magento to meet PCI DSS?

From: http://www.magentocommerce.com/company/pci-compliance

There are a few very important steps to take when implementing Magento in a PCI compliant manner. The main two are:

Do not use the Saved Credit Card module in a production environment (live site).
Do not enable the Debugging profiler in a production environment.

If these modules are implemented the credit card data will be stored in the database, creating further requirements for in order to meet the PCI DSS.

It is important to note that while Magento is an integral part of the chain in obtaining PCI Compliance, it is necessary to implement Magento in a PCI compliant hosting environment. We have given recommendations here on configuring Magento to meet the PCI-DSS. For more information on PCI Compliance please visit the PCI Security Standards Council website ( https://www.pcisecuritystandards.org/ )

Translation into layman’s English:

Your website must be hosted within a PCI DSS compliant hosting environment (server os config, network config, firewall config etc).

Does the PCI Security Standards Council enforce compliance?

From: https://www.pcisecuritystandards.org/ (click on FAQ then click on FAQ at the top)

No, the PCI Security Standards Council will not be replacing the individual brands’ compliance programs. The individual participating payment brands will separately determine what entities must be compliant, including any brand-specific enforcement programs.

Translation to laymans English:

By brand they mean both payment providers like PayPal and also acquiring banks like HSBC or Barclays if using the HSBC Remote Gateway API or the Barclays ePDQ gateway.

Does PayPal or Protx check that you as a merchant are PCI DSS compliant when setting up the PayPal Website Payments Pro UK or the Protx Direct payment gateway Magento extension?

I don’t know. I cannot find the answer on PayPal’s website nor have I attempted it before.

Can someone state what the case is with the last question and whether there is any incorrect information above, please?

I get the feeling that I have missed something major.

Conclusion

We don’t need to be PCI DSS compliant unless a payment provider or the acquiring bank (in the case of HSBC when using the HSBC (UK) Remote API extension) demands it but being PCI DSS compliant helps merchants (you, me, us) avoid liability for fraud that involves our website losing personal data to hackers. And that is unlikely if you implement any SSL certificate and the payment gateway Magento extensions themselves correctly in the first place.

Many Thanks

James from West Dunbartonshire

 
Magento Community Magento Community
Magento Community
Magento Community
 
jsdtechnology.co.uk
Jr. Member
 
Total Posts:  10
Joined:  2008-09-28
 

So can anyone confirm whether or not a payment provider or bank will ask merchants to prove they are compliant with a PCI DSS?

If yes, which organisations?

Many Thanks

James

 
Magento Community Magento Community
Magento Community
Magento Community
 
jsdtechnology.co.uk
Jr. Member
 
Total Posts:  10
Joined:  2008-09-28
 

What does “level 4 merchant” in PCI DSS terms mean?

For the answer refer to http://www.barclaycardbusiness.co.uk/information_zone/security/pci_dss/what_do_I_do.html

Almost all small merchants will therefore be level 4 merchants.

The web page also states that Barclays ePDQ applicants must supply evidence of PCI DSS compliance to a company called Security Metrics who Barclays have partnered with.

Achieving PCI DSS sounds like it would take a few weeks but if your web host is not PCI DSS compliant and does not intend to become so then that would mean having to move host which means further costs. Not good for small merchants and developers like myself and my current customer.

James from West Dunbartonshire
p.s. I’m posting this info here for all of us as I think this forum could and should become a useful resource.

 
Magento Community Magento Community
Magento Community
Magento Community
 
RichardT
Jr. Member
 
Total Posts:  2
Joined:  2009-02-24
 

The PCI DSS does not apply to merchants only where the card data does not touch or pass through their site/servers. For example if you redirect shoppers to the Protx gateway payment pages and the card details are entered in to the protx site, then you are not touching card data and do not need to be compliant. However if card data is entered in the checkout page and the server pushes the data to the payment gateway, then you must be pci compliant; this is because the card data is transmitted by your server.

It is the transmission clause which catches most sites as it looks far less professional to hand a user off to Protx to take payment instead of using the Mangento checkout.

Where the PCI standards council refers to brands, it means VISA, Mastercard, American Express Etc. The card companies don’t have a direct relationship with hte merchant however they are presuring the banks to enforce compliance. Different banks are handling this in different ways. In the past they went after the largest merchants, but most of these are now becoming compliant, and the focus is shifting to smaller businesses. I know of some small retailers who are facing higher processing charges for not being compliant.

As a merchant it is your responsibility to be compliant and remain compliant. this means that you have to ensure the suppliers such as payment gateways and hosting companies are compliant. A supplier will be audited to show that their processes are compliant. Using compliant suppliers does not mean your business is compliant, you must have a certain level of policy and processes in place to ensure compliance.

As a level 4 merchant you need not have an on site audit, instead complete the self assessment questionaire. This is not too hard, however there are some tricky bits that are often forgotten
The PCI DSS requires that you must also have quarterly network vulnerability scans and an annual penetration test. It is extremely unlikely that a PCI compliant host will provide the penetration test. Some might perform the network scan, but it is best to arrange your own.
There must be a policy and procedure to document and control code changes to your site. (this is code not change through the admin interface)
The application development must be in line with best practice and protect against the OWASP (OWASP.org) top 10 web vulnerabilities
The developers must be trained in secure programming
All users must have security awareness training - see www.bobs-business.co.uk for a great free training course.

You can store CV2 iff the payment has not been authorised. It must then be stored for the shortest period possible, be encrypted, deleted after authorisation and not written to logs. We do this when the payment gateway returns an error as it is impossible to determine if payment was taken.

The PCI standards is not only for online business; if you run a physical store, you should be aware that the shop is also covered by PCI standards. The till system, in-store and inter-store networks, order management systems, shop front staff and anyone handling secured data must be compliant.

 
Magento Community Magento Community
Magento Community
Magento Community
 
mikewhitby
Member
 
Total Posts:  38
Joined:  2008-09-08
 

Slight thread resurrection here but I’m interested to hear of the experiences of a company developing Magento for a client who has decided to go the onsite payment route and has needed to get their site scanned by an ASV.

Did you need to jump through any more hoops than simply getting your site scanner?

I’m aware the SAQ is more thorough if you have onsite payment systems, how bad is it?

I’m interested in the cost increase of having an onsite payment system vs offsite.

cheers!

 
Magento Community Magento Community
Magento Community
Magento Community
 
kulturshock
Jr. Member
 
Total Posts:  29
Joined:  2009-11-30
 

I believe that from July 1st 2010 if you process credit card payments then your payment application MUST be a PA-DSS approved application. Magento community version is NOT approved. In simple terms this means that if you take credit card data on your server then the program taking this data must be a PA-DSS approved program. Therefore if you use a payment gateway like Sage Direct you are taking credit card data on your server and passing it on to Sage pay. From July you will no longe be PCI compliant and your merchant provider may well stop you from taking credit cards.
In this situation you have two choices. Upgrade to the enterprise edition (and upgrade your hosting). OR do not accept credit card details ON YOUR SERVER. Use the sage form interface or the Sage Server interface, both solutions have the actual credit card form hosted on the sage server and taking your site outside the PCI compliance problem.

 
Magento Community Magento Community
Magento Community
Magento Community
 
daddyg
Sr. Member
 
Total Posts:  77
Joined:  2008-12-10
 

This is a worrying development.  Does anyone know if magento have this on the roadmap to implement PA-DSS approval before the July 1st deadline.

Thanks...Graham

 
Magento Community Magento Community
Magento Community
Magento Community
 
kulturshock
Jr. Member
 
Total Posts:  29
Joined:  2009-11-30
 

I know of no plans to make the community edition PA-DSS approved at any time. That said I suggest that you check with your card services provider and your QA provider who says that you are PCI compliant to see what they say you have to do to remain PCI compliant.

 
Magento Community Magento Community
Magento Community
Magento Community
 
J_T_
Moderator
 
Avatar
Total Posts:  1961
Joined:  2008-08-07
London-ish, UK
 

Summary based on my experience.

If you don’t store card details (like those with redirect-based Protx, WorldPay, PayPal etc.) you just need to be Level 4 PCI compliant. Fill in a form and you’re done. Magento doesn’t play a significant role in this, as long as you use strong passwords, have company policies etc.

If you do store card details (in other words, if you have the potential to loose or abuse card details) you’re talking about a whole different ball game. Then the Magento version you use does come into the picture and be part of the equation which will tell you whether you act according to or in violation of the law. If you store card details, you probably are a John Lewis / Amazon / ASOS type merchant so you should have the 10s of thousands of quids to ensure you become compliant.

 
Magento Community Magento Community
Magento Community
Magento Community
 
smallmouse
Jr. Member
 
Total Posts:  7
Joined:  2009-09-22
 

Hi
I have a quick question.

My client wants to use the credit card (save) method to take customers details and process the payment offline.

After reading many posts on the forums it seems to be the general view that this is a bad idea? 

Is it safe to use this method and does it comply with this pci dss?

Would an ssl make it safer?

Do the credit card details get stored in the database?

sorry for all the questions but I dont want to set this up for a client if there could be a security hole to fall into.

many thanks
Lisa

 
Magento Community Magento Community
Magento Community
Magento Community
 
bj0rn
Member
 
Avatar
Total Posts:  37
Joined:  2008-06-16
 

Like Mike Whitby, I’m curious about obtaining PCI compliance while keeping the payment experience integrated - I don’t much care for sending customers off to a third-party brand for payment! Can anyone fill us in on the details?

 
Magento Community Magento Community
Magento Community
Magento Community
 
kulturshock
Jr. Member
 
Total Posts:  29
Joined:  2009-11-30
 

Here is an official announcement

http://usa.visa.com/download/merchants/payment_application_security_mandates_regions.pdf

Basically it means that if you take credit card info on your site (even if just to transmit) then you have to use a PA-DSS approved payment applictaion by 1st July 2012. Magento, community edition, is NOT PA-DSS approved, nor are there any plans that I know of to get it approved.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Turnkeye
Enthusiast
 
Avatar
Total Posts:  908
Joined:  2008-12-20
URL: turnkeye.com
 
kulturshock - 01 July 2010 11:30 AM

Magento, community edition, is NOT PA-DSS approved, nor are there any plans that I know of to get it approved.

You can try to use CREsecure a trusted, hosted payment acceptance service for online retailers, takes the worry out of credit card security and Payment Card Industry (PCI) rules.

Besides, you can avoid PA-DSS certification in certain cases: PA-DSS compliance FAQ

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top