PCI Compliance - Questions and Answers with Magento Team and Rackspace
This is an old revision of the document!
Please post your questions to the Magento Team and Rackspace here on implementing Magento in a PCI Compliant environment. We’ll select a number of questions to answers and post the answers in the Magento Blog.
One of the key reasons behind PCI-DSS is to make sure that credit card data are not stored or properly stored.
The infrastructure, policy and processes play an important part; but the way the application handles payment data is also very important. If I decide to store credit card data, to make things easier for the users the next time they shop, in order to make split settlements etc... what happens? Are the data encrypted? How? How is the keys for encrypting data generated and how easy is to access them? Do you store CV2 data? etc...
My point is that having Rackspace being super secure, when data are not protected by the application in the first place, won’t be of great help and in theory won’t get you PCI compliant.
Please, it is important that you clearly tell your customers how to become PCI compliant with Magento and a hosting company such as Rackspace.
A lot of smaller businesses don’t need the resources provided by a dedicated server and would find the cost too high. What are the implications for PCI-DSS compliance with running Magento on shared hosting? Obviously, storing credit card details would be out of the question, but what about the case when credit card details are accepted on the site via SSL and passed on to the payment gateway?
There has been a great deal of discussion around using Magento in scalable or elastic computing environments, primarily cloud hosting. RackSpace’s Mosso and Amazon’s EC2 are two of such cloud/elastic computing environments that quickly come to mind. Given the ‘pooling’ of CPU/RAM/DISK resources that these hosting models use, is it possible to achieve PCI Compliance in such a ‘pooled’ environment where resource isolation is impossible?
Many e-retailers are of the understanding that if they do not store cardholder data they are not required to be PCI Compliant. Is this true, and if so, what type of retailer would SAQ Validation type 4 apply to?