If your Magento 1 business handles credit card information, you may already be aware of the 300+ security requirements in PCI DSS. If you’re not familiar, this article will cover some of the basics and offer resources for certifying compliance.
Founded in 2006 by American Express, Discover, JCB International, Mastercard, and Visa, the Payment Card Industry Data Security Standards (PCI DSS) sets the minimum standard for data security around processing credit card transactions. It helps reduce fraud and data breaches across the payment ecosystem and applies to any organization that accepts or processes payments via credit cards.
PCI DSS Compliance
PCI DSS compliance involves three main rules:
- Sensitive credit card data from consumers should be collected and transmitted securely
- That data must be stored securely by utilizing encryption, ongoing monitoring, and security testing of access to card data
- On an annual basis, validating that the required security controls are in place
Sensitive data from consumers
Companies that handle card data may be required to meet each of the 300+ security controls in PCI DSS. Even if card data only travels a business’s infrastructure for a moment, the company would need to purchase, implement, and maintain security software and hardware.
If a company does not need to handle sensitive credit card data, it shouldn’t. Third-party solutions (like Stripe) securely accept and store credit card data, removing considerable complexity, cost, and risk. If card data never touches your business’s servers, you would only need to confirm 22 relatively straightforward security controls, like using strong passwords.
Store data securely
If an organization handles or stores credit card data, it needs to define the scope of its cardholder data environment (CDE). PCI DSS defines CDE as the people, processes, and technologies that store, process, or transmit credit card data—or any system connected to it.
Since all 300+ security requirements in PCI DSS apply to CDE, it’s important to properly segment the payment environment from the rest of the business so as to limit the scope of PCI validation. If an organization is unable to contain the CDE scope, the PCI security controls would then apply to every system, laptop, and device on its corporate network. Nobody has time for that.
An annual review of required security controls
Regardless of how card data is accepted, organizations that handle credit card payments are required to complete a PCI validation form annually to maintain compliance.
12 Main Requirements for PCI DSS
The most recent security standards, PCI DSS version 3.2.1, includes 12 main requirements with over 300 sub-requirements that mirror security best practices.
Those 12 main requirements are:
- Install and maintain a firewall configuration to protect cardholder information
- Never use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open or public networks
- Protect all systems against malware and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data
- Identify and authenticate access to system components
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all employees
New businesses can validate PCI compliance via nine self assessment questionnaires that are each a subset of the entire PCI DSS requirement. The difficulty comes from trying to figure out which requirements are necessary for your business. Some businesses will hire a PCI Council-approved auditor to ensure that each PCI DSS requirement has been met. And as if that isn’t complicated enough – the PCI Council revises the rules every three years and releases updates throughout each year. How can businesses secure their credit card data and maintain PCI compliance considering these factors?
Ways to Secure
There are a number of accepted ways to secure your website with the PCI DSS requirements, from hiring a qualified security assessor (QSA) company, to utilizing the PCI 3-Step Process, and via Nexcess Safe Harbor in partnership with Stripe.
1. A Qualified Security Assessor
A Qualified Security Assessor is a data security firm that is qualified by the PCI Council to perform on-site PCI Data Security Standard assessments. An assessor will verify all technical information given by the merchant or service provider and use independent judgment to confirm the standard has been met. A list of Qualified Security Assessor (QSA) companies can be found here.
2. The PCI 3-Step Process
- Asses Identifying cardholder data, taking an inventory of IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
- Report Compiling and submitting required reports to the appropriate acquiring bank and card brands.
3. Safe Harbor
Magento 1 reached end-of-life in June 2020, putting thousands of ecommerce sites into a compliance grey area when Adobe stopped issuing official security updates.
While the ecommerce application itself represents only a small part of what PCI compliance truly entails, for merchants still running their ecommerce sites on Magento 1, the important thing to note is there will no longer be security patches and updates issued for the platform. They’re on their own unless they’ve invested in a solution like Nexcess Safe Harbor. We strongly suggest you check out Stripe, who has a commitment to keeping their Magento 1 module going for their customers.
Stripe remains committed to enabling users to securely use Stripe’s products within Magento 1. To that end, Nexcess encourages you to install Stripe’s official Magento 1 module, which uses Stripe.js and Elements to simplify your site’s PCI compliance. Stripe will continue to release bug fixes and security updates for the Stripe Magento 1 module to ensure this solution follows Payment Card Industry Data Security Standards (PCI DSS).
As you can see, achieving and maintaining PCI compliance is no small feat. But with the right information, assistance from a compliance professional, and Nexcess Safe Harbor, businesses still operating on Magento 1 can keep their customer’s credit card data safe and secure.