eCommerce PCI Compliance: Full Guide [for Magento Store Owners | 2020]

In 2013, Target had more than $110M of its customer’s credit card data compromised. This retail chain had to pay $18,5 million multistate settlement just to resolve the investigation of the cyber-attack.

In 2017, the average cost of data breach per record in eCommerce was estimated at $172. You can easily calculate how much your business will lose if you have thousands of such records.

PCI DSS compliance was devised to regulate the way companies take care of payment data protection and storage.

If you have a Magento store and haven’t yet performed Magento 2 migration, the task of passing PCI DSS compliance will be even more challenging for your business.

In this article, we are going to cover the basics of PCI compliance for eCommerce:

• the basics of PCI DSS compliance
• real benefits of being a PCI compliant eCommerce business
• what Magento store owners risk with PCI non-compliance
• Magento 1 and PCI compliance
• PCI DSS compliance levels and which one you need to pass
• comprehensive PCI DSS compliance checklist

Let’s dive deep into the details!

What is PCI DSS Compliance?

Payment Card Industry Data Security Standard (PCI DSS) is a set of rules that should be followed by any business that processes, stores, and transmits cardholders’ details. PCI DSS defines the best practices for eCommerce companies to create a safe environment for such information.

The PCI Security Standards Council was formed in 2006 to create these rules and monitor eCommerce PCI compliance. The council consists of the leading worldwide payment card networks, including Visa, Mastercard, JCB International, Discover Financial Services, and American Express.

PCI compliance is mandatory for any company with an eCommerce website.

Important: eCommerce PCI compliance applies to any business allowing credit card payments. Even if you use such third-party services like Stripe, Braintree, PayPal, you need to follow PCI DSS compliance requirements.

The Importance of PCI Compliance for eCommerce

The eCommerce industry is a lucrative sphere for hackers who are always looking for easy stealing of sensitive information. Incidents involving security and data breaches can destroy your reputation in no time and cause multi-million fines.

The importance of PCI compliance for eCommerce is tremendous. For at least 27% of customers, the lack of fraud prevention and data security guarantee on a site means they abandon transactions without making a purchase.

Note: No store is small enough to feel protected from data breaches. Please remember that even small merchants should ensure that they have a PCI compliant eCommerce business. In 43% of cases, cyber-attacks target small businesses.

Small businesses are an easy target for hackers as they don’t have the resources of such giants as Walmart, Amazon, and eBay. It is easier to hack a few smaller eCommerce websites than to hack an Amazon.

Hackers can target your store to get access to customer’s payment information for further use in credit card fraud, redirect customers to a fake shopping cart or checkout page, inject your site with malware, and even steal your eCommerce business.

Being a PCI compliant eCommerce merchant means protecting customers’ credit card data in accordance with the latest industry standards. The main result you can get is an increase in trust that your customers show you if they know that you are following PCI DSS compliance requirements. Not to mention the vast sales increase as an output.

Isn’t that what you need to make your eCommerce business successful?

The Risks of PCI Non-Compliance

eCommerce PCI compliance is a step that you cannot bypass if you want to accept online payments. If a company doesn’t follow the PCI DSS compliance requirements, the consequences can be extreme – from the loss of reputation to costly penalties.

PCI DSS Non-Compliance Penalties

If your Magento website is found at risk of being PCI non-compliant, you can be charged with hefty penalties, especially if customers suffer from fraudulent actions that you could have prevented.

PCI DSS non-compliance penalties can vary from a few thousand to hundreds of thousands a month. Failure to comply with the regulations can lead to the following penalties based on the size of a company and the duration of the infringement.

• If a company doesn’t fix security problems within 1-3 months, it will be charged with a $5,000/month penalty for a small business, while the penalty for big companies reaches $10,000 a month.
• If a company does nothing to fix issues for 4-6 months, it will be charged with a $25,000/month fine in case of small business and $50,000 a month if we talk about enterprise eCommerce websites.
• If a company is found guilty in not fixing problems for over 7 months, it will be charged with a $50,000/month penalty to a small business and $100,000/month penalty to a large business.

Apparently, PCI Non-Compliance can heavily impact your company. There is no way to avoid penalties if you don’t ensure eCommerce PCI compliance of your Magento store. In case your company is found guilty, you will have to pay from $5,000 to $100,000 per month depending on the duration of regulations infringement.

Ban on Credit Cards Use

The most powerful payment card companies regulate PCI compliance for eCommerce. Whenever an infringement happens, it is quickly detected and reported to them. If you are found guilty for repeat violations of eCommerce PCI compliance regulations, the penalties might be the least of your worries.

Irresponsible Magento merchants can lose the right to accept card-not-present payments at their online store, meaning the end of the eCommerce business. As eCommerce PCI compliance checks are made every three months, you can be banned from accepting the most popular payment cards within this time.

Forensic Investigation

After a few repeat violations identified, eCommerce PCI compliance involves a mandatory undergoing of forensic examinations. You will need to find and hire professionals providing such services. The cost of examinations will be $20,000-$50,000 for a small company. If you have a middle-size or even enterprise-level eCommerce business, the costs will be much higher for you.

Customer Notification

PCI compliant eCommerce involves timely notification of customers about data breaches. If you are found guilty, you will need to let your customers know about accidents, tell them which data was affected, and even might be required to provide credit monitoring and counseling services to affected customers for a whole year. Moreover, some customers might decide to sue you for putting their sensitive information at risk, increasing your expenditures dramatically.

Liability Claims

Your task as a business owner is to protect the sensitive data of your customers. Even if you decide to risk your business, you can be forced to undergo checks after lawsuits have claimed liability on you for security breaches.

Reassessment

If you violate PCI DSS compliance requirements and get banned from accepting payments, you will need to pass a complete reassessment for eCommerce PCI compliance. Such reassessments are conducted by external Qualified Security Assessors (QSA), which takes time. If you successfully pass the reassessment, you will be allowed to accept payments again.

Card Reissuing Costs

After data breaches and payment card violations, banks will have to issue new cards to affected customers. The price of card shipping, activation and communication is from $3 to $10 per card. You might be charged with paying this price for each violated card. In case thousands of credit card records are violated, you might need to pay a hefty price.

PCI DSS compliance requirements infringement can have direct consequences for an eCommerce business. After you are found guilty of the regulation violation, you will need to deal with a lot of problems, including the passing of reassessment, fines, dealing with outraged customers, and much more. Thus, PCI compliance for eCommerce is mandatory, as it will allow you to save money and an excellent reputation.

Magento 1 and PCI Compliance

Magento one store owners dreaded the end of June,  which was marked with Magento 1 End of Life. As planned, the first version of the platform won’t receive any security and quality fixes in the future. Not far away in the future, the Magento 1 store will become obsolete without new features and performance improvements.

Still, there are even more dangers associated with running a store on an outdated platform. Visa, Mastercard, and the FBI have already warned business owners about the need to upgrade to Magento 2. They voiced their concerns about such online stores quickly becoming vulnerable to hacker attacks and data breaches.

Discover why our clients decide to migrate to Magento 2 in a video explaining Magento 2 migration on real cases.

Here is what you will have to deal with if you decide to stay on Magento 1:

• Lack of security patches will jeopardize the security of your store and the safety of customer data.
• Magento development companies won’t update their Magento 1 modules. You won’t be able to quickly add new functionality to your eCommerce website. Even Magento Marketplace has already deleted all Magento 1 modules. Right now, you can only get them from 3rd party developers without any guarantee of their security.
• Magento PCI compliance will become impossible to pass.
• Data compromise will be a constant threat without a way to guarantee its prevention.

Since PCI compliance checks are performed every 90 days, Magento 1 stores can lose the ability to accept payments via the majority of payment gateways within the same timeframe.

According to PCI DSS requirements, systems should be up to date with security patches provided by vendors (in your case Magento). eCommerce companies are required to have policies and procedures to track and patch all known vulnerabilities. Even more, they need to provide proof that the implemented procedures meet all PCI requirements.

If a company fails to patch new vulnerabilities, it won’t be able to pass scans by Approved Scanning Vendors (ASV). Therefore, you won’t be able to pass PCI compliance with your Magento 1 store. The best solution is to migrate your Magento 1 store to Magento 2 before it’s too late for your business.

Just take a look at the main advantages of Magento 2 as compared to M1.

PCI DSS Compliance Levels

eCommerce PCI compliance has four levels for companies of different sizes that apply depending on the number of payment transactions per year. Let’s review all the PCI DSS compliance levels from the most stringent to less hard ones.

PCI DSS Compliance Level 1

This is the first level of PCI compliance for eCommerce that applies to enterprise-level businesses with millions of transactions. These regulations apply to the following types of businesses:

• eCommerce businesses that process 6+ million Visa or Mastercard transactions per year including both online and offline tractions (if a company has an offline presence)
• Payment facilitators processing 300,000+ transactions every year
• All online store that Visa finds the Level 1 applicable to

PCI DSS Compliance Level 2

This type of regulations applies to big companies with the number of transactions not exceeding 6 million:

• Merchants processing 1-6 million Visa transactions per year, including online and offline payments
• Payment facilitators, with over 300,000 annual transactions

PCI DSS Compliance Level 3

This level of eCommerce PCI compliance applies to merchants processing 20,000 to 1 million Visa eCommerce transactions every year.

PCI DSS Compliance Level 4

Level 4 applies to smaller eCommerce companies with a fewer number of transactions:

• Sellers with fewer than 20,000 Visa transactions per year
• Merchants that process up to 1 million Visa transactions every year (online and offline)

The above overview of the main PCI DSS compliance levels will help you understand which level of compliance your business should pass. Companies that need to comply with Level 1 should undergo yearly on-site reviews of internal auditors and scanning by external vendors. The PCI Security Standards Council provides a full list of all approved scanning vendors.

Companies to which apply Levels 2, 3, or 4 must undergo the PCI DSS Self Assessment Questionnaire every year. Also, they need to undergo quarterly network security scans. Such scans can be performed by all ASVs.

How long does it take to become a PCI compliant eCommerce? 

That entirely depends on the time you spend on a self-assessment questionnaire. Usually, the process takes from two days to two weeks.

12-Step PCI Compliance Checklist

PCI compliance for eCommerce is a complex process that can be divided into twelve steps. All these steps help to ensure compliance with six main PCI DSS compliance requirements:

• build and maintain a secure network
• protect cardholder data
• maintain a vulnerability management program
• implement strong access control measures
• regularly monitor and test networks
• ensure an information security policy

Let’s investigate each step in more detail.

1. Build and Maintain a Secure Network

This is the first requirement of eCommerce PCI compliance, and you should start the process at this stage. Here, you need to ensure the security of your network and create documentation on the applied solutions. You can either do all of the tasks yourself or find a vendor that will help you with the task.

• Identify your Card Data Environment (CDE). If you are using a PCI compliant eCommerce hosting, it will be a part of your CDE. In case you host your website on your own servers, they automatically become a part of the Card Data Environment.
• Prepare a “Firewall Process” documentation covering all your servers, why you use them, who can access them, access roles, which software you are running on your servers, and for which operations it is responsible.
• Configure a firewall to block everything that is not required for business operations. These rules that you are going to apply should include settings for both internal and external traffic.
• Apply the rules and configurations to all servers and add them to the “Firewall Process” documentation.

This step is mandatory for companies that want to meet the requirements of eCommerce PCI compliance. At this step, you need to define how your network will operate, who will have access to it, and which traffic your firewall will allow.

2. Don’t Use Vendor-Supplied Defaults

The second of PCI DSS compliance requirements warns eCommerce businesses from using vendor-supplied defaults for system passwords and security parameters. Combined with the previous one, this step will ensure that you are running a secure network:

• After you have installed new software, always change the default passwords, remove unnecessary default accounts, etc.
• Encryption of all non-console administrative access will help you provide better protection from hacker attacks.
• Document how you manage vendor-provided defaults and ensure everyone inside your company follows the requirements.

3. Protect Cardholder Data

The easiest way to ensure compliance with this requirement is to avoid storing and processing payment card details. The use of payment gateways will reduce the risk of data compromise. The best practice is to only store customer ID and confirmation of successful payment.

If you for some reason need to store customer card data, store it only as long as you need and then delete. If you decide to process payment yourself, it will be extremely difficult to pass eCommerce PCI compliance.

4. Encrypt Cardholder Data Transmission

The use of SSL/TLS technology is mandatory for eCommerce PCI compliance. These protocols encrypt data that travels between two systems over public networks.

TLS helps to prevent man-in-the-middle attacks and SSL certificates show that your website is trustworthy. Moreover, the use of SSL is a recommended practice today, as Google favors protected websites in its search results.

5. Maintain a Vulnerability Management Program

eCommerce PCI compliance requires you to use and regularly update antivirus programs and malware-prevention systems. The use of such systems will protect you from the most common vulnerabilities that hackers can automatically detect and target.

Therefore, you need to install antivirus software on all the used computers and servers, update it regularly, prevent users from manually turning it off and ensure that nothing interferes with its operations.

6. Develop and Maintain Secure Systems and Applications

This of the PCI DSS compliance requirements is not difficult to meet. You only need to ensure that you are using the latest version of your eCommerce platform, themes, and extensions.

If you are a Magento 1 store owner, make sure to migrate to Magento 2, as the first version of the platform has a lot of vulnerabilities. The same goes for outdated modules, which opens a small window of opportunity for hackers.

7. Set up Access Control to Cardholder Data

Only a few people in your organization need access to cardholder data. Make sure that you set up access control and only grant it to employees that really need it. Set up a system that will allow you to monitor their activities and to spot any behavior resembling fraud attempts.

Create writer rules that regulate how your employees should work with such data and make sure they follow them.

8. Identify and Authenticate Access to System Components

Under this rule, you must assign a unique ID to each person with access to system components. The main goal is to guarantee that you can monitor their activities within your network and restrict it when you notice some suspicious actions.

During this stage, implement two-factor authentication protocol, restrict data to the database containing sensitive information, don’t use group access and passwords. You should be able to revoke permission to any part of your network infrastructure.

9. Implement Strong Access Control Measures

eCommerce PCI compliance regulations require you to restrict physical access to cardholder data. This rule especially applies to businesses that store such information physically on their servers.

You need to know who can physically access the stored information. This requirement is especially important for personally identifiable information, which can help to identify a person behind the data and even help hackers steal their identities. Otherwise, you won’t be able to pass the requirements of another important regulation – General Data Protection Regulation (GDPR).

Therefore, you might need to limit access to network jacks at your offline facility and control visitors and unauthorized personnel from entering certain areas. If you store any hardcopy materials, you need to shred them when you no longer need these records.

10. Track and Monitor All Access to Network Resources and Cardholder Data

Often, data integrity can show you the first signs of data tampering. It’s recommended to use security monitoring and integrity checks to spot such occurrences as soon as they occur. You can log all internal and external users to know who, what, where, and when accessed information in your network and on your website to identify data breaches.

Monitoring systems notify about any suspicious changes made to DNS configurations, SSL certificates, and other modifications inside your systems.

11. Perform Regular System and Processes Security Tests

Thorough security audits will help you ensure that hackers won’t identify any potential vulnerabilities that can help them in data compromise. You need to run such scans every few months and use the latest versions of your eCommerce platforms where such vulnerabilities are already fixed by the vendor.

12. Create an Information Security Policy

You need to have a documented security strategy that will allow you to assess risks, control how your employees deal with security measures, ensure that third-party software doesn’t infringe PCI DSS compliance requirements, and quickly implement a data breach response plan.

Debunking eCommerce PCI Compliance Myths

Many eCommerce businesses think that PCI DSS compliance requirements don’t apply to them. Because of a number of myths, you might mistakenly be assured of the same. In this part, we are going to debunk the most popular myths about PCI compliant eCommerce.

Myth 1: I’m a small merchant with few transactions, so PCI DSS doesn’t apply to me

Are you processing one credit card payment a year? Congratulations! PCI regulations apply to you.

No business is small enough for data breaches and compromise. PCI Security Standards Council recommends for small to medium companies to take the self-assessment questionnaire to make sure you comply with the requirements. In the case of data breaches, even the smallest eCommerce business with a handful of transactions per year will be held responsible.

Myth 2: Third party processes all payments for us

Outsourcing card processing won’t let you relinquish responsibility. Even if you don’t process and store credit card info directly on your servers, you need to make sure that the third-party service you are working with is PCI compliant.

Moreover, even if you use some secure payment gateway, you might accept orders over the phone. It puts you directly into eCommerce PCI compliance as you use an unprotected method of communication with customers.

Myth 3: After set up, we can forget about PCI compliance for eCommerce

This is probably one of the most dangerous beliefs. Many companies mistakenly think that eCommerce PCI compliance is a one-time event, and after they have passed it once, they don’t need to work on it anymore.

The latest regulations released in 2018 clearly state that PCI DSS compliance is an ongoing process and you need to constantly work on identifying and patching vulnerabilities to improve your network security.

If you don’t have in-house resources for this task, you can hire a vendor that will perform website and code audit regularly to guarantee security and protection from hacker attacks.

Myth 4: PCI requires a lot of efforts and is not required

This myth is partially true, as eCommerce PCI compliance is an ongoing process that requires a lot of attention to security. However, these regulations are just security policies that any modern business should follow.

Myth 5: PCI compliant eCommerce is a safe store

That’s not true since your store can be secure today and won’t be safe for customers tomorrow. Being a PCI compliant business means working on your security protocols every day. This way, you will be able to ensure that your website always remains safe and protected.

Myth 6: You need to meet only a few PCI DSS compliance requirements

Your company needs to meet all the requirements of PCI DSS compliance. If you are found to violate even one requirement, you will be held guilty for data compromise.

Myth 7: eCommerce PCI compliance allows storing any card information

In fact, the PCI Security Standards Council recommends not to store any credit card data, unless you need it for your business operations. Moreover, it clearly states that you are prohibited to store unencrypted credit card numbers, personally identifying information, CVV and CVV2 numbers, PINs, etc. The consequences of violating these regulations can be severe and lead to your business being blacklisted from accepting payments of certain banks. This will limit your payment acceptance and create problems for customers.

eCommerce PCI Compliance: Concluding Thoughts

Being PCI compliant means being a safe business for your customers. Small and medium businesses often underestimate the need for eCommerce PCI compliance even though the violation of these regulations entails hefty penalties. Even in the best scenarios, it will cost you thousands of dollars and the need to undergo a number of audits.

If you don’t want to deal with all the regulations and make your website compliant yourself, you can always find a development company that will help you with the task.