How Magento Enterprise Helps Achieve PCI Compliance

Posted by Gian Genovesi

November 7, 2014 | 2:05 PM

Share this blog on:     

The Most Importantly Boring Thing You Will Ever Read 

With the holiday season approaching and more and more incidents of credit card information being hacked from retailers, the security of your eCommerce site is more important than ever. Meeting PCI Compliance standards is a way to make sure that your business is secure in all aspects of customer payment information. According to the PCI Security Standards Council, “PCI DSS [Payment Card Industry Data Security Standard] provides a baseline of technical and operational requirements designed to protect cardholder data.” While the solution to security issues, PCI Compliance, may seem simple, the path to achieving it is not.

pci.jpgPCI Compliance is a complicated necessity for merchants. Becoming PCI compliant is a marriage between the enterprise-wide PCI requirements outlined in this document and the assessment of a CISSP (Certified Information Systems Security Professional). With 12 different requirements for protecting all aspects of stored cardholder data, it can be difficult to keep up with all of the nuanced stipulations. Not meeting these requirements, however, is not an option. The 12 PCI DSS requirements, broken into six categories, are as follows:

Build and Maintain a Secure Network and Systems

1. Install and maintain a firewall configuration to protect cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters. 

Protect Cardholder Data

3. Protect stored cardholder data.

4. Encrypt transmission of cardholder data across open, public networks. 

Maintain a Vulnerability Management Program

5. Protect all systems against malware and regularly update anti-virus software or programs.

6. Develop and maintain secure systems and applications.  

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need to know. 

8. Identify and authenticate access to system components. 

9. Restrict physical access to cardholder data. 

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data. 

11. Regularly test security systems and processes.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for all personnel.

As mentioned in a previous blog post, Magento Enterprise helps to ease the burden of achieving PCI Compliance through a PA-DSS certified Payment Bridge. This relates to Protecting Cardholder Data and Implementing Strong Access Control Measures, among other aspects of the 12 PCI DSS requirements.

Although PCI Compliance focuses on the data obtained through payments, it affects the entire organization. PA-DSS (Payment Application Data Security Standard), however, is a subset of PCI Compliance focused specifically on payment applications. For merchants, this is applicable to things like POS terminals and eCommerce applications, as well as any and all applications used to gather account data and transfer funds from a customer. The key difference between PCI and PA-DSS is that PA-DSS outlines the proper requirements for handling account data as a payment system or application, whereas PCI compliance outlines the requirements for the entire enterprise.

Magento Enterprise fulfills the PA-DSS certification through its Secure Payment Bridge. The Secure Payment Bridge supports and is integrated with various external payment gateways, including PayPal, Authorize.net and Braintree. But, while the Secure Payment Bridge itself is PA-DSS certified, it must be implemented in a PCI Compliant environment. Gian Genovesi, eCommerce Delivery Lead at Briteskies, came up with this analogy to describe how PA-DSS fits into PCI Compliance:

“I liken PCI Compliance to having cooks wear rubber gloves in a restaurant. It is a requirement that keeps the overall cooking process sanitary, but none of that matters if you are serving the food on dirty dishes. Similarly, your site can be PA-DSS Certified, but if the rest of your organization is not following its respective PCI requirements, it doesn’t matter.”

So, while PA-DSS is an integral part of PCI Compliance, it is not the only aspect that needs to be taken into consideration. Magento Enterprise fulfills its part of the equation by providing a PA-DSS compliant payment system (its record can be found here), but as a merchant, it’s imperative to create a PCI Compliant environment throughout the organization in order to truly reach PCI Compliance. 

One way to ease stress of the PCI Compliance process is to partner with an experienced and certified development team. Certified developers have the knowledge and experience needed to truly know a platform's ins and outs, including the complicated PCI Compliance specifications. When it comes to something as crucial and nuanced as the entire PCI Compliance process, relying on experts is a great strategy.  

 

value of certified developers

Topics: eCommerce, Magento, Magento Enterprise

About Gian Genovesi

Gian is our eCommerce Account Manager. He has a fiery passion for serving and aiding clients in fully leveraging the value, features, and functions of their eCommerce systems. With a myriad of experience in leveraging eCommerce systems and their wide array of supporting systems & strategies, Gian constantly strives to put his clients in an optimal position for success in the online channel. Gian is constantly tortured by the Browns’ tumultuous operations and is taking bids for his fandom starting August 2016.

Search

Subscribe to Email Updates

magento-platform-checklist
New Call-to-Action

Contact Us

B2B-2.0

Recent Posts