PCI Compliance - Questions and Answers with Magento Team and Rackspace

Last modified by Crucial Web Host on Sat, January 3, 2009 11:23
Source|Old Revisions  

Please post your questions to the Magento Team and Rackspace here on implementing Magento in a PCI Compliant environment. We’ll select a number of questions to answers and post the answers in the Magento Blog.

One of the key reasons behind PCI-DSS is to make sure that credit card data are not stored or properly stored.

The infrastructure, policy and processes play an important part; but the way the application handles payment data is also very important. If I decide to store credit card data, to make things easier for the users the next time they shop, in order to make split settlements etc... what happens? Are the data encrypted? How? How is the keys for encrypting data generated and how easy is to access them? Do you store CV2 data? etc...

My point is that having Rackspace being super secure, when data are not protected by the application in the first place, won’t be of great help and in theory won’t get you PCI compliant.

Please, it is important that you clearly tell your customers how to become PCI compliant with Magento and a hosting company such as Rackspace.

Kind Regards,

  Osvaldo

Questions

1. What about shared servers or VPS?

A lot of smaller businesses don’t need the resources provided by a dedicated server and would find the cost too high. What are the implications for PCI-DSS compliance with running Magento on shared hosting? Obviously, storing credit card details would be out of the question, but what about the case when credit card details are accepted on the site via SSL and passed on to the payment gateway?

2. Who needs to be PCI Compliant?

Many e-retailers are of the understanding that if they do not store cardholder data they are not required to be PCI Compliant. Is this true? If so, what type of retailer would SAQ Validation type 1 & 4 apply to?

3. Steps to PCI compliance

There seems to be a consensus by e-retailers that passing a quarterly scan is all that is required to become PCI-DSS Compliant. Could you describe the differences between scans such as “McAfee Secure” and legitimate PCI Compliance under SAQ Validation types 1, 4 & 5?

4. Shared Hosting PCI compliance

Is it possile to be certified PCI compliant (SAQ C) in a shared hosting (single service/multi-tenent) environment even if the hosting provider is a PCI certified service provider?




 

Magento 2 GitHub Repository

Magento Job Board - Some sort of tag line goes here

Latest Posts| View all Jobs