According to the Baymard Institute, 18% of customers don’t go forward with a purchase due to a lack of trust in the website. But by adding a secure checkout to your Magento store, you can move those customers past the finish line.
However, a secure ecommerce checkout involves a long checklist that requires a multifaceted security approach.
The good news? You can tick most of the checkboxes and gain the trust of your buyers by complying with Payment Card Industry Data Security Standards (PCI-DSS).
Read on to learn more about PCI-DSS, what it requires, and how to make your Magento store PCI compliant.
- PCI-DSS 101
- How does Magento handle PCI compliance?
- Magento 2 PCI compliance: Best practices
- Final thoughts: 4 best practices to make your Magento 2 store PCI compliant
Payment Card Industry Data Security Standards (PCI-DSS) refers to the security requirements a business must comply with to get support from major payment card networks.
PCI-DSS requirements are defined by the PCI Security Standards Council (PCI SSC), which comprises American Express, Discover, JCB, Mastercard, and Visa.
You can find the current PCI-DSS requirements in the image below.
PCI compliance: Merchant levels
While the PCI requirements stay the same for every merchant, the compliance and audit process varies depending on how many transactions they process.
Here’s a transaction threshold for each merchant compliance level you can use to see where your company lies.
- Level 1 Merchant
- More than six million Visa, Discover, or Mastercard transactions per year.
- More than 2.5 million American Express transactions per year.
- More than one million JCB transactions per year.
- Level 2 Merchant
- Between one and six million Visa, Discover, or Mastercard transactions per year.
- Between 50,000 and 2.5 million American Express transactions per year.
- Level 3 Merchant
- Between 20,000 and one million Visa and Mastercard transactions per year.
- Between 10,000 and 50,000 American Express transactions per year.
- Fewer than one million Discover or JCB transactions per year.
- Level 4 Merchant
- Fewer than 20,000 Visa and Mastercard transactions per year.
- 10,000 or fewer American Express transactions per year.
Level 1 merchants must comply with the strictest requirements and be assessed by a Qualified Security Assessor (QSA) to ensure compliance. The remaining merchants typically submit a Self-Assessment Questionnaire (SAQ) to report compliance.
If a merchant doesn’t comply with the PCI-DSS and suffers a security breach, they can be fined up to $500,000 and may be subject to a suspension of payment method support.
Get fully managed Magento hosting
Accelerate your store's potential, without the ongoing maintenance
How does Magento handle PCI compliance?
Magento isn’t automatically PCI compliant since PCI-DSS covers more than just the ecommerce platform — from security to website hosting. However, Magento doesn’t store payment card data, so you can make your Magento store PCI compliant by benefitting from the tons of options Magento offers.
To start, you can opt for a payment gateway that takes most of the PCI compliance work out of your hands. Similarly, you can partner with a secure host that complies with PCI-DSS to ensure that credit card data is always protected.
Let’s dive deeper into these and other best practices below.
Magento 2 PCI compliance: Best practices
Given the PCI-DSS requirements, you have to make sure cardholder data stays protected throughout the checkout process on your Magento store. Here are some ways to achieve that.
Default to Magento-supported payment gateways
With payment gateways, you limit your exposure to sensitive data. With little data to protect and interact with, you have less to worry about.
For instance, you can opt for a PayPal Express Checkout like Smartwool. When a user clicks PayPal Checkout, the browser opens a PayPal window where they can enter their credit card details to pay.
If you opt for this method, the buyer directly interacts with PayPal’s servers, so you can typically enjoy simpler compliance requirements and submit the basic SAQ or SAQ A.
While the method above simplifies the Magento compliance process, it’s not the smoothest of processes for customers. They need to go through multiple hoops just to pay you — which is not something you want if you’re looking to improve the checkout process.
Instead, you can offer overly-cautious users a seamless experience with a Stripe integration like Formlabs. With Stripe, the payment form appears as part of the website, so users don’t have to go to another tab or window to finalize purchases.
However, this method makes compliance a bit more complex to achieve.
Second, your website must use a Secure Sockets Layer (SSL) certificate.
Add an SSL certificate
SSL encrypts the traffic between the web browser and a web server. In other words, an SSL certificate blocks malicious agents from eavesdropping on the information exchange between the visitor and web server on open, public networks.
So if you’re asking customers to enter their credentials via a form on your website, you must use an SSL to comply with PCI-DSS.
Use PCI-compliant hosting
To fulfill PCI-DSS requirements, you need a robust firewall, a restricted physical access policy, a regular networking monitoring system, and much more. But you can’t fulfill these requirements yourself since these involve protecting the customer data in storage and transfer — matters typically handled by your hosting provider.
In short, you need a web hosting provider that offers:
- Secure systems: The web hosting provider should take the required security precautions on its end, including reviewing legacy code for possible backdoors.
- Robust firewalls: A firewall monitors the incoming and outgoing traffic and ensures that only allowed applications can access the system.
- Vulnerability management: Make sure the web host offers tools like antivirus software for scanning and removing viruses without the risk of a data breach.
- Managed services: A managed hosting provider keeps the website infrastructure updated on your end to close security gaps.
- Restricted access controls: The hosting provider should restrict employees from accessing sensitive data and systems and only allow it on a need basis. The host should also have visitor logging and sitewide surveillance at the data center.
If you’re looking for such a host, check out Nexcess managed Magento hosting. As a certified Level 1 Solution Provider, we handle all the hosting-side compliance requirements, so you can work on your store stress-free.
Nexcess also offers help with PCI-DSS compliance reporting. You can ping us for a copy of our SAQ D to submit with your report. And you can also rely on us for quarterly Approved Scanning Vendor (ASV) scans.
Enforce security measures
While payment gateways and PCI-compliant hosting get you almost off the hook, there are still a few things you’ve got to tackle on your own.
To start, you need to restrict access on a need basis. Not every employee in your company needs to access every piece of data in your Magento website. Make sure only the relevant people have access to payment-related data.
Once that’s out of the way, implement a password policy:
- Use unique passwords: Avoid passwords like “password!” and “default.”
- Enable 2FA: Add two-factor authentication (2FA) functionality to protect your website against phishing attacks.
- Set password change reminders: Force admin users to change passwords at least every 90 days.
Lastly, step up your website management game by using only reputable extensions from the Magento marketplace and updating them to avoid security vulnerabilities.
Final thoughts: 4 best practices to make your Magento 2 store PCI compliant
As a Magento 2 store owner, complying with PCI-DSS requirements can be a struggle. But it’s definitely worth it to offer a secure checkout experience and build trust among your customers.
In Nexcess, you find a PCI-compliant host that also offers scalability, performance, and 24/7/365 technical support. Sign up for Nexcess enterprise hosting for Magento today.