May 25, 2023
Magento 2 PCI compliance: What it is and how your ecommerce store can comply

According to the Baymard Institute, 18% of customers don’t go forward with a purchase due to a lack of trust in the website. But by adding a secure checkout to your Magento store, you can move those customers past the finish line.

However, a secure ecommerce checkout involves a long checklist that requires a multifaceted security approach.

The good news? You can tick most of the checkboxes and gain the trust of your buyers by complying with Payment Card Industry Data Security Standards (PCI-DSS).

Read on to learn more about PCI-DSS, what it requires, and how to make your Magento store PCI compliant.


Payment Card Industry Data Security Standards (PCI-DSS) refers to the security requirements a business must comply with to get support from major payment card networks.

PCI-DSS requirements are defined by the PCI Security Standards Council (PCI SSC), which comprises American Express, Discover, JCB, Mastercard, and Visa.

You can find the current PCI-DSS requirements in the image below.

PCI-DSS requirements as shared by PCI SSC in its quick reference guide.

PCI compliance: Merchant levels

While the PCI requirements stay the same for every merchant, the compliance and audit process varies depending on how many transactions they process.

Here’s a transaction threshold for each merchant compliance level you can use to see where your company lies.

  • Level 1 Merchant
    • More than six million Visa, Discover, or Mastercard transactions per year.
    • More than 2.5 million American Express transactions per year.
    • More than one million JCB transactions per year.
  • Level 2 Merchant
    • Between one and six million Visa, Discover, or Mastercard transactions per year.
    • Between 50,000 and 2.5 million American Express transactions per year.
  • Level 3 Merchant
    • Between 20,000 and one million Visa and Mastercard transactions per year.
    • Between 10,000 and 50,000 American Express transactions per year.
    • Fewer than one million Discover or JCB transactions per year.
  • Level 4 Merchant
    • Fewer than 20,000 Visa and Mastercard transactions per year.
    • 10,000 or fewer American Express transactions per year.

Level 1 merchants must comply with the strictest requirements and be assessed by a Qualified Security Assessor (QSA) to ensure compliance. The remaining merchants typically submit a Self-Assessment Questionnaire (SAQ) to report compliance.

If a merchant doesn’t comply with the PCI-DSS and suffers a security breach, they can be fined up to $500,000 and may be subject to a suspension of payment method support.

Get fully managed Magento hosting

Accelerate your store's potential, without the ongoing maintenance

How does Magento handle PCI compliance?

Magento isn’t automatically PCI compliant since PCI-DSS covers more than just the ecommerce platform — from security to website hosting. However, Magento doesn’t store payment card data, so you can make your Magento store PCI compliant by benefitting from the tons of options Magento offers.

To start, you can opt for a payment gateway that takes most of the PCI compliance work out of your hands. Similarly, you can partner with a secure host that complies with PCI-DSS to ensure that credit card data is always protected.

Let’s dive deeper into these and other best practices below.

Magento 2 PCI compliance: Best practices

Given the PCI-DSS requirements, you have to make sure cardholder data stays protected throughout the checkout process on your Magento store. Here are some ways to achieve that.

Default to Magento-supported payment gateways

With payment gateways, you limit your exposure to sensitive data. With little data to protect and interact with, you have less to worry about.

For instance, you can opt for a PayPal Express Checkout like Smartwool. When a user clicks PayPal Checkout, the browser opens a PayPal window where they can enter their credit card details to pay.

Paypal Checkout button opens a PayPal window.

If you opt for this method, the buyer directly interacts with PayPal’s servers, so you can typically enjoy simpler compliance requirements and submit the basic SAQ or SAQ A.

While the method above simplifies the Magento compliance process, it’s not the smoothest of processes for customers. They need to go through multiple hoops just to pay you — which is not something you want if you’re looking to improve the checkout process.

Instead, you can offer overly-cautious users a seamless experience with a Stripe integration like Formlabs. With Stripe, the payment form appears as part of the website, so users don’t have to go to another tab or window to finalize purchases.

Checkout page of Formlabs that shows where you can enter credit card information.

However, this method makes compliance a bit more complex to achieve.

First, you must include a JavaScript (JS) file from Stripe (or another payment provider) on your checkout page to ensure secure processing via Stripe’s API. If you want to avoid using an external JavaScript file, you’ll have to report your compliance via SAQ A-EP, which has slightly stricter requirements.

Second, your website must use a Secure Sockets Layer (SSL) certificate.

Add an SSL certificate

SSL encrypts the traffic between the web browser and a web server. In other words, an SSL certificate blocks malicious agents from eavesdropping on the information exchange between the visitor and web server on open, public networks.

So if you’re asking customers to enter their credentials via a form on your website, you must use an SSL to comply with PCI-DSS.

Nexcess offers premium SSL certificates.

If you partner your website with Nexcess, you get SSL for free with all its hosting plans. Otherwise, you can buy an SSL certificate with Nexcess at an affordable price.

Use PCI-compliant hosting

To fulfill PCI-DSS requirements, you need a robust firewall, a restricted physical access policy, a regular networking monitoring system, and much more. But you can’t fulfill these requirements yourself since these involve protecting the customer data in storage and transfer — matters typically handled by your hosting provider.

In short, you need a web hosting provider that offers:

  • Secure systems: The web hosting provider should take the required security precautions on its end, including reviewing legacy code for possible backdoors.
  • Robust firewalls: A firewall monitors the incoming and outgoing traffic and ensures that only allowed applications can access the system.
  • Vulnerability management: Make sure the web host offers tools like antivirus software for scanning and removing viruses without the risk of a data breach.
  • Managed services: A managed hosting provider keeps the website infrastructure updated on your end to close security gaps.
  • Restricted access controls: The hosting provider should restrict employees from accessing sensitive data and systems and only allow it on a need basis. The host should also have visitor logging and sitewide surveillance at the data center.

If you’re looking for such a host, check out Nexcess managed Magento hosting. As a certified Level 1 Solution Provider, we handle all the hosting-side compliance requirements, so you can work on your store stress-free.

Nexcess also offers help with PCI-DSS compliance reporting. You can ping us for a copy of our SAQ D to submit with your report. And you can also rely on us for quarterly Approved Scanning Vendor (ASV) scans.

Enforce security measures

While payment gateways and PCI-compliant hosting get you almost off the hook, there are still a few things you’ve got to tackle on your own.

To start, you need to restrict access on a need basis. Not every employee in your company needs to access every piece of data in your Magento website. Make sure only the relevant people have access to payment-related data.

Once that’s out of the way, implement a password policy:

  • Use unique passwords: Avoid passwords like “password!” and “default.”
  • Enable 2FA: Add two-factor authentication (2FA) functionality to protect your website against phishing attacks.
  • Set password change reminders: Force admin users to change passwords at least every 90 days.

Lastly, step up your website management game by using only reputable extensions from the Magento marketplace and updating them to avoid security vulnerabilities.

Final thoughts: 4 best practices to make your Magento 2 store PCI compliant

As a Magento 2 store owner, complying with PCI-DSS requirements can be a struggle. But it’s definitely worth it to offer a secure checkout experience and build trust among your customers.

In Nexcess, you find a PCI-compliant host that also offers scalability, performance, and 24/7/365 technical support. Sign up for Nexcess enterprise hosting for Magento today.

Maddy Osman
Maddy Osman

Maddy Osman is a WordPress expert, WordCamp US speaker, bestselling author, and the Founder and SEO Content Strategist at The Blogsmith. She has a B.A. in Marketing from the University of Iowa and is a WordCamp Denver organizer while also operating The Blogsmith, an SEO content agency for B2B tech companies that works with clients like HubSpot, Automattic, and Sprout Social. Learn more about The Blogsmith's process and get in touch to talk content strategy:

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.