YES, Magento can be PCI Complaint
I’m going to set the record straight on PCI Compliance. There’s a lot of information out there, a lot of it is right and a lot of it was written out of fear and paranoia. There’s also conflicting information and the scary part is that both sides are probably right. I need to preface with you first, so be patient if you want to understand PCI Compliance. Here we go!
What is PCI Compliance?
PCI Compliance is known by a few different names, all of which pertain to the same thing. The Payment Card Industry, aka Visa, has commissioned and enforces the PCI Compliance Regulations. These are not government regulations. If your website ever comes in contact with a credit card number, then the PCI Compliance Regulations apply to you.
- (PCI Compliance Regulations or PCI Compliance) The Payment Card Industry Compliance Regulations
- (PCI DSS) Payment Card Industry Data Security Standards
How are these regulations enforced?
This is where all of the information online begins to conflict. The individual Credit Card Companies will hold the Payment Processors and Payment Gateways responsible. Meaning that the Credit Card Companies will only ENFORCE the regulations upon the Online Payment Gateways. In turn, the individual Payment Gateways are responsible for enforcing the PCI Compliance Regulations upon the individual Merchants.
Most likely you will not be completely compliant with the regulations, nor could you afford to. That’s where TrustWave comes in. TrustWave has partnered with the Payment Processors and Payment Gateways to provide security audits and insurance against the PCI Compliance standards. TrustWave will run security scans on your Magento Webstore and let you know if all PCI Compliance regulations are being met. Additionally you will pay a small monthly fee to them as sort of an insurance policy against PCI Claims.
Here are the PCI Compliance Data Security Standards
The PCI Data Security Standard (PCI DSS) was created by the major credit card companies to ensure the adoption of consistent security measures by all merchants. There are 12 requirements for meeting the PCI DSS, broken into 6 groups:
Build and Maintain a Secure Network
REQUIREMENT 1: Install and maintain a firewall configuration to protect cardholder data
REQUIREMENT 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
REQUIREMENT 3: Protect stored cardholder data
REQUIREMENT 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
REQUIREMENT 5: Use and regularly update anti-virus software
REQUIREMENT 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
REQUIREMENT 7: Restrict access to cardholder data by business need-to-know
REQUIREMENT 8: Assign a unique ID to each person with computer access
REQUIREMENT 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
REQUIREMENT 10: Track and monitor all access to network resources and cardholder data
REQUIREMENT 11: Regularly test security systems and processes
Maintain an Information Security Policy
REQUIREMENT 12: Maintain a policy that addresses information security
The Complete Magento PCI Compliance Guide
No comments:
Post a Comment