PCI Compliance - Questions and Answers with Magento Team and Rackspace
This is an old revision of the document!
Please post your questions to the Magento Team and Rackspace here on implementing Magento in a PCI Compliant environment. We’ll select a number of questions to answers and post the answers in the Magento Blog.
One of the key reasons behind PCI-DSS is to make sure that credit card data are not stored or properly stored.
The infrastructure, policy and processes play an important part of it; but the way the application handles credit card data is paramount. If I decide to store credit card data, to make things easier for the users the next time they shop, in order to make split settlements etc... what happens? Are the data encrypted? How? How is the keys for encrypting data generated and how easy is to access them? Do you store CV2 data? etc...
My point is that having Rackspace being super secure, when data are not protected by the application in the first place, won’t be of great help.
Please, it is important that you clearly tell your customers how to become PCI compliant with Meganto and a hosting company such as Rackspace.
Having Rackspace level 1 compliant, won’t make it if I decide to store data on Magento and Magento ends up not protecting the data.