Magento Forum

   
Page 1 of 2
Community Edition PCI and PA-DSS Acceptable? 
 
tippmann316
Jr. Member
 
Total Posts:  26
Joined:  2009-05-06
 

We are currently having a website Developed using the Magento Community Edition. And it should go live within the next two months.

Since we process credit cards via Authorize.net we are afraid that we are developing a website built on Architecture that may be obsolete come next year thanks to PCI Standards.

Currently Magento states that the Enterprise version will be PCI Certified “Soon”. But what does that mean for anyone using the Community Edition when the PCI Standards are mandated?

Or am I just missing something? Is the Community Edition PA-DSS Compliant as long as we don’t store Credit Card Numbers?

Is operating a Dedicated Server and not storing Credit Cards enough to give us a passing grade with PCI?

Or are we stuck with operating PCI Certified shopping carts like Magento Enterprise Edition?

 
Magento Community Magento Community
Magento Community
Magento Community
 
Web2Market
Jr. Member
 
Avatar
Total Posts:  20
Joined:  2008-10-25
 
tippmann316 - 15 June 2009 07:44 PM

Currently Magento states that the Enterprise version will be PCI Certified “Soon”. But what does that mean for anyone using the Community Edition when the PCI Standards are mandated?

When the Enterprise Edition is PCI Certified, the identical features in Community Edition will likely pass certification as well.

tippmann316 - 15 June 2009 07:44 PM

Is the Community Edition PA-DSS Compliant as long as we don’t store Credit Card Numbers? Is operating a Dedicated Server and not storing Credit Cards enough to give us a passing grade with PCI?

No, certification is not that easy. There is a long list of requirements. If you do not store credit card numbers, then several requirements will not apply.

tippmann316 - 15 June 2009 07:44 PM

Or are we stuck with operating PCI Certified shopping carts like Magento Enterprise Edition?

Someone needs to pay to certify any cart. One of the advantages of the Enterprise Edition is that Varien is paying. You can, or perhaps a group, can pay to certify the Community Edition. Unfortunately, the certification will almost certainly turn up required changes. Who will make those changes? The second problem is that if you customize the certified version, you will probably need to get it re-certified. I suspect part of the cost of Enterprise Edition is to pay for re-certification for custom implementations.

If you are thinking, “wow, this sounds expensive”...you are right.

 
Magento Community Magento Community
Magento Community
Magento Community
 
JLHC
Mentor
 
Avatar
Total Posts:  1287
Joined:  2008-05-09
Tampa, FL
 

Some information regarding Magento and PCI compliance that you may want to look at:-
http://www.magentocommerce.com/company/pci-compliance

 
Magento Community Magento Community
Magento Community
Magento Community
 
tippmann316
Jr. Member
 
Total Posts:  26
Joined:  2009-05-06
 

Okay I have been doing some research, and I think that am getting a better idea of what this all means.

PCI Certified is much different than PCI Compliant.

PCI “Certified” more has to do with Payment and Software Providers, and Hosts?

PCI “Compliant” is more Merchant side? Involving the operation of our business and the Hardware and Software that we have implemented?

Am I correct in assuming (be careful when you assume), that no matter what solution (Magento Community or Enterprise etc.) we have implemented, as long as we have been validated by a Qualified Security Assessor (QSA), we should be compliant?

I have not been able to find anything in the PCI-DSS (www.pcisecuritystandards.org) where it says that you will only be able to become PCI “Compliant” if you operate a PCI “Certified” Shopping Cart.

Does PCI Certified just mean someone can charge a little more for their cart than a cart that just doesn’t store credit card numbers and CVV2’s?

I mean we are operating a store right now that passes PCI Scans every evening, and it was developed over four years ago? I imagine the Community Edition of Magento will pass a PCI Scan too, and as far as I can tell from all the information that I am reading, this should be sufficient for at least the Cart Aspect of PCI Compliance.

 
Magento Community Magento Community
Magento Community
Magento Community
 
turtlepirate
Jr. Member
 
Total Posts:  3
Joined:  2008-08-01
 

I’m surprised there isn’t more discussion on this. You guys do know that if Magento’s community edition is not PA-DSS certified by July 2010 merchants will be forced to use PA-DSS certified systems? So far out of the thousands of ecommerce systems out there, only a few are certified including Magento Enterprise. But that is the Enterprise edition only.

 
Magento Community Magento Community
Magento Community
Magento Community
 
jgross
Jr. Member
 
Total Posts:  2
Joined:  2010-02-16
 

estrahon, you are correct that as of July 1 if merchants don’t use a software application that is PA-DSS compliant or that is out of scope for PA-DSS compliance (there are solutions for software providers to do this), they will risk losing the ability to accept credit cards from their customers entirely as well as fines. Here are two articles that might help clear up some confusion: how to become PCI DSS compliant (for merchants) and PA-DSS implementation (for software applications).  Good luck with the steps towards PCI compliance!

 
Magento Community Magento Community
Magento Community
Magento Community
 
tippmann316
Jr. Member
 
Total Posts:  26
Joined:  2009-05-06
 

Does anyone have any more info on whether the community edition will be okay when pci compliance is mandatory later on in the year? Suggestions? Opinions?

Do we need to upgrade to the Enterprise Edition?

 
Magento Community Magento Community
Magento Community
Magento Community
 
daddyg
Sr. Member
 
Total Posts:  77
Joined:  2008-12-10
 

I’d really like to know this too.

 
Magento Community Magento Community
Magento Community
Magento Community
 
sajjad365
Jr. Member
 
Total Posts:  21
Joined:  2009-05-28
London, Canada
 

Um, I stumbled across this thread by accident. Was looking to integrate Moneris payment gateway and lo and behold I’m here? Ha. Anyways, what is this talk to “compliance”? We can’t use Magento Community if not approved or some crap? Sorry, I’m a noob, what is going on here?!?!?

 
Magento Community Magento Community
Magento Community
Magento Community
 
markf
Sr. Member
 
Total Posts:  145
Joined:  2007-09-20
 

As far as I can tell, the only way to use Magento CE and be compliant is to use Paypal or Google Checkout.  The reason is that when you use those services, the credit card info is entered after the user is redirect to Paypal or Google’s site. 

So basically, if your customers are entering CC info and the web address is still your domain, you are most likely not in compliance.  This is assuming you are using community edition.

The problem with Paypal and Google is you lose the continuity of look and feel when you redirect to Paypal, etc.  The only other solution I came across was cresecure.com which does redirect to their site but it’s supposed to clone the look and feel of your site.  I tried the service, however, and it seemed buggy and I could not get it working right.  Customer service was not very friendly either.

So I’m still looking for a better solution than the ones mentioned… anyone else have some insight into this?  It’s something that affects almost all community users in a petty major way, so I’m surprised this is not a more hot topic.

 
Magento Community Magento Community
Magento Community
Magento Community
 
blindside
Jr. Member
 
Total Posts:  2
Joined:  2009-09-16
 

Key points from the PA-DSS User Guide:

“PA-DSS does NOT apply to a payment application developed for and sold to only one customer
since this application will be covered as part of the customer’s normal PCI DSS compliance review.
Note that such an application (which may be referred to as a “bespoke” application) is sold to only
one customer (usually a large merchant or service provider), and it is designed and developed
according to customer-provided specifications.”

“PA-DSS does apply to payment applications that are typically sold and installed “off the shelf”
without much customization by software vendors.”

 
Magento Community Magento Community
Magento Community
Magento Community
 
xpayments
Jr. Member
 
Avatar
Total Posts:  3
Joined:  2010-06-15
Ulyanovsk, Russia
 
markf - 19 July 2010 06:15 AM


So I’m still looking for a better solution than the ones mentioned… anyone else have some insight into this?  It’s something that affects almost all community users in a petty major way, so I’m surprised this is not a more hot topic.

Did you tried this solution http://www.qtmsoft.com/x-payments-magento.html ? Qualiteam company has developed an certified X-Payments application for X-Cart but it can be easily configured for any e-commerce site. At the moment there are integrations for Magento, Zen Cart, osCommerce.

 
Magento Community Magento Community
Magento Community
Magento Community
 
xpayments
Jr. Member
 
Avatar
Total Posts:  3
Joined:  2010-06-15
Ulyanovsk, Russia
 

deleted

 
Magento Community Magento Community
Magento Community
Magento Community
 
xpayments
Jr. Member
 
Avatar
Total Posts:  3
Joined:  2010-06-15
Ulyanovsk, Russia
 

deleted

 
Magento Community Magento Community
Magento Community
Magento Community
 
xpayments
Jr. Member
 
Avatar
Total Posts:  3
Joined:  2010-06-15
Ulyanovsk, Russia
 

deleted

 
Magento Community Magento Community
Magento Community
Magento Community
 
xpayments
Jr. Member
 
Avatar
Total Posts:  3
Joined:  2010-06-15
Ulyanovsk, Russia
 

deleted

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
    Back to top
Page 1 of 2