PCI Compliance (and Magento)

So, an interesting discussion came up yesterday on the WDG List in regards to shopping carts. I’m not going to delve into the whole thing (and the list of recommended carts the ladies on the list really went for), but one of the experts on the list responded to my interest in Magento.

Now, if you follow me at all, you’ll know that I’m moving away from ZenCart as the eCommerce system I know (I can get into reasons on that later – this post isn’t about that) and switching to Magento. So far, all I’ve done is install it on my localhost, and looked around the back-end, and it looks really promising.


If you’re preferred language isn’t English, you can access the PCI site in alternate languages too. There’s also a nice plain-English (and easier to navigate, IMO) site on the subject.

However, PCI Compliance is of great interest to anyone who plans to have an online store, and wants full control over the entire system. PCI Compliance has been somewhat of a mystery to me – I understand what it’s for, but like doing my Federal taxes, some of the language and “gist” of it is beyond my brain to comprehend.

My Understanding
My understanding isn’t much – I will admit that. Basically, I know these standards are coming around to protect end user data when they make transactions – to try and put security measures in place that everyone must comply to if they plan to sell things online and collect personal and sensitive information (like credit card numbers. addresses, etc.), and to keep it protected from malicious evildoers. So the basic idea is a good idea. The implementation and requirements I don’t know about, and I really have no opinion on. Like politics and religion, I’m sure everyone has something to say about it.

But the point is, it’s coming around to be a standard, whether you like it or not. You don’t like Obama as our US President? Well, too bad, He is. You’re gonna have to live with it – at least for a few more years. You don’t like PCI Compliance? Too bad – it’s here, and if you don’t comply…well let’s just say (as far as my understanding goes) you’d better, or you’re gonna be sorry.

Hot Topics in the FAQ
I’m just going to give a bullet-point overview on the FAQs of this PCI thing. As I write this, I’m sure some of the info will be new to me. I’m taking it directly from the site – and as mentioned before – this is my understanding of what they are saying. I’m no expert at all on this. But I am hoping that by bringing this to your attention, you’ll be more aware and feel the need to research for yourself.

  • When do I need to comply? You should already be complying. The “deadline date” for compliance has come and gone. If you’re a merchant, you should check with your service provider (this includes third-party services!)to see if you have any deadlines that are specific to your online shop.
  • How do I know i need to comply? If you store, process, or transmit sensitive information, you need to have PCI compliance in place. If you’re using a third-party service to handle this sensitive information for you, you need to make sure that this third-party service is PCI compliant, and make sure you have an agreement in place with the third-party service that they have the responsibility should anything become compromised.
  • What happens if I don’t? Basically, you need to check with the different brands you accept payment from (American Express, Mastercard, Visa, etc.) as these are the companies that enforce the compliance. It is my understanding that with most of these companies, if you do not comply, you will no longer be able to use their merchant services. Also, there are no federal laws to force compliance, but there are state laws in effect, and you should check your state laws to see if there’s anything you need to be aware of1. If you violate a state law, you’re liable for a lot more than what the credit card companies can dish out, I would think (like fines and possible imprisonment – again, I would think… I don’t know this for a fact).
  • Is there any time the full CC number can be displayed? In the case of someone ordering online, and the end user needing to check and see if the CC number they have entered is correct, then you can display it – but you must be on a secure server, and there must be a timeout on the screen so the information won’t be displayed indefinitely. But generally, you should mask or hide it, and only display the number if absolutely necessary.
  • Aren’t online shops who use third-party gateways that are PCI Compliant compliant by default? Short answer: no. Pretty much you need to do what’s called a Self-Assessment Questionnaire (SAQ) once a year to be sure that the data handles on the website is done so in a proper manner. You also generally have to submit the results of the SAQ to your providers.
  • As a small-to-medium sized business, what do I need to do to be compliant? This explains it better than I could!

Now, with some of that out of the way, the discussion on the list brought something to my attention that I wasn’t aware of: Magento is supposedly not PCI Compliant. However, their site does insist you can become so, but from the looks of it, it doesn’t look like it’ll be an easy (or cheap) option to pull it off. (On the..uh..upside, if you don’t pull it off, it would be more expensive!) From what I understand, you’re basically going to need to get a secure hosting environment. Shared hosting for online shopping carts just ain’t gonna cut it anymore. (I think this could be generally true for any cart software you choose to use for your website – not just for Magento.)

So it looks like if you plan to use a shopping cart on your site – even if you plan to use a third-party gateway system to pull it off – you’re “better safe than sorry” by getting yourself a secure host, a valid security certificate, and making sure that data is safe.

Well, it appears I’m being distracted – today is the first day for WordCamp Boston, and I only live about 1.25 hours from the great city. I’m actually going to MA this weekend to visit my sick mother-in-law, but I’ll be in Pittsfield rather than Boston, and although I love my MIL, I’ll be wishing I was going the other direction on 90 LOL All the #bestwordcampever hashtags on Twitter are diving me to the brink, and I’m losing my focus on this. <seethingwithjealousy>me</seethingwithjealousy>

Hopefully this indistinct rambling on PCI Compliance will get you thinking about your clients who sell online, and what it means to them. How will this alter your proposals for your prospective clients? How about the ones you already have – will you be letting them know what’s up, and trying to get them to comply? Boy – that’s a whole new world in and of itself! I think for me it’ll be something that I’ll need to add to my proposals, when (and if) a client needs to create an online shop, and I’m going to start vetting non-shared hosts for future prospects – which is something I’ve never really gone into before.

I’d definitely love to hear your thoughts on this – especially if you have some good info to pass along to others who have no clue (like me!)

1. PCI Compliance Guide

Comments

  • tee

    Glad you move to Magento!

    I didn’t investigate too much on the PCI compliance as far as Magento is concerned, my understanding it, it’s not out-of-the-box but if you go with Enterprise Edition (near $9k a year) than it’s PCI compliance. It’s darn important to make your eCommerce store PCI Compliance if payment gateway is used, if you use payment option such as Google Checkout or Paypal then you are OK without it. A few Magento optimized web-hosts have started offering PCI compliant servers, I think this is a more cost effective approach for small businesses.

    February 19, 2010 at 6:58 pm Reply
  • Jim Walker

    PCI compliance on a shared server is very doable. Been PCI compliant for years on my shared server (with Zencart, Magento, etc.).

    You just have to find a security minded web host is all.

    [Site owner edit to remove contact information - apologies, but comments are not adspace. But thank you for the addition!]

    February 25, 2010 at 7:53 pm Reply
  • Sigma Infosolutions

    Version :magento.1.4.x.

    It will have default order export functionality compare to older version. With present version we need to download extension to do order export.

    Therefore Its better to use magento 1.4.x for new features.

    July 16, 2010 at 1:14 pm Reply
  • Have your say: