According to the Baymard Institute, 18% of customers Please do not proceed with the purchase as you do not have confidence in the website. But by adding secure checkout to your Magento store, you can get those customers across the finish line.
However, a secure e-commerce checkout requires a long checklist that requires a multi-faceted security approach.
Good news? By being compliant with Payment Card Industry Data Security Standards (PCI-DSS), you can check most boxes and gain buyer trust.
Read on to learn more about PCI-DSS, what it takes, and how to make your Magento store PCI compliant.
PCI-DSS101
Payment Card Industry Data Security Standard (PCI-DSS) refers to the security requirements that businesses must comply with in order to receive support from major payment card networks.
PCI-DSS requirements are defined by the PCI Security Standards Council (PCI SSC), which is comprised of American Express, Discover, JCB, Mastercard, and Visa.
Current PCI-DSS requirements can be found in the image below.
PCI Compliance: Merchant Level
PCI requirements are the same for all merchants, but compliance and audit processes vary depending on the number of transactions you process.
Here are transaction thresholds for each merchant compliance level that you can use to confirm your company’s position.
- level 1 merchant
- Over 6 million Visa, Discover, or Mastercard transactions annually.
- Over 2.5 million American Express transactions annually.
- Over 1 million JCB transactions annually.
- level 2 merchant
- 1 million to 6 million Visa, Discover, or Mastercard transactions per year.
- 50,000 to 2.5 million American Express transactions per year.
- level 3 merchant
- 20,000 to 1 million Visa and Mastercard transactions per year.
- 10,000 to 50,000 American Express transactions per year.
- Discover or JCB has fewer than 1 million transactions per year.
- level 4 merchant
- Visa and Mastercard transactions are less than 20,000 per year.
- American Express has fewer than 10,000 transactions per year.
Level 1 merchants adhere to the most stringent requirements and must be evaluated by a Qualified Security Assessor (QSA) to ensure compliance. Remaining merchants typically submit a self-assessment questionnaire (SAQ) to report compliance.
If a merchant is not PCI-DSS compliant and suffers a security breach, they can be fined up to $500,000 and have their payment methods no longer supported.
Get fully managed Magento hosting
Accelerate your store’s potential without ongoing maintenance
How does Magento address PCI compliance?
Magento is not automatically PCI compliant, as PCI-DSS covers more than just e-commerce platforms, from security to website hosting. However, since Magento does not store payment card data, you can take advantage of the rich options Magento offers to make your Magento store PCI compliant.
First, you can choose a payment gateway that takes most of the PCI compliance work out of your hands. Similarly, you can also collaborate with the following partners: PCI-DSS compliant secure host Ensure your credit card data is always protected.
Let’s take a closer look at these and other best practices below.
Magento 2 PCI Compliance: Best Practices
Given PCI-DSS requirements, you need to ensure that cardholder data is protected throughout the checkout process in your Magento store. Here are some ways to accomplish that.
Make a Magento-compatible payment gateway the default
Payment gateways allow you to limit exposure to sensitive data. There’s less data to protect and manipulate, so you have less to worry about.
For example, you can choose PayPal Express Checkout like Smartwool.when the user clicks PayPal check outa PayPal window will open in your browser where you can enter your credit card details and make the payment.
If you choose this method, buyers typically enjoy easier compliance requirements and can submit a basic SAQ or SAQ A because they interact directly with PayPal’s servers.
Although the above method simplifies the Magento compliance process, it is not the smoothest process for customers. They have to jump through multiple hoops just to pay you, which is something you don’t want if you want to improve your checkout process.
Instead, you can use a Stripe integration like Formlabs to provide a seamless experience for overly cautious users. With Stripe, the payment form appears as part of his website, so users don’t have to go to another tab or window to complete their purchase.
However, this method is a little more complicated to achieve compliance.
First, you must include a JavaScript (JS) file from Stripe (or another payment provider) on your checkout page to ensure secure processing through Stripe’s API. If you wish to avoid using external JavaScript files, you must report compliance via SAQ A-EP, which has slightly more stringent requirements.
Second, your website must use a Secure Sockets Layer (SSL) certificate.
Add SSL certificate
SSL encrypts traffic between your web browser and your web server. In other words, an SSL certificate blocks malicious agents from eavesdropping on the information exchange between visitors and your web server on an open public network.
Therefore, if you require customers to enter their credentials through forms on your website, you must use SSL to be PCI-DSS compliant.
If you Partner your website with Necessoffers SSL for free with all hosting plans. Otherwise, Purchase an SSL certificate What you need at an affordable price.
Use PCI-compliant hosting
Meeting PCI-DSS requirements requires things like robust firewalls, restrictive physical access policies, and regular network monitoring systems. However, because these requirements involve the protection and transmission of customer data in storage, these requirements are typically handled by the hosting provider and cannot be met by yourself.
This means you need a web hosting provider that offers:
- secure system: Web hosting providers should take necessary security precautions on their end, including checking for legacy code that could be a backdoor.
- robust firewall: Firewalls monitor incoming and outgoing traffic and ensure that only authorized applications can access your system.
- Vulnerability management: Make sure your web host offers tools such as antivirus software that can scan for and remove viruses without risking a data breach.
- managed services: Managed hosting providers keep your website infrastructure updated to close security gaps.
- limited access control: Hosting providers should restrict access to sensitive data and systems by employees and only allow it when necessary. The host must also perform visitor logging and site-wide monitoring in the data center.
If you’re looking for such a host, check out Nexcess. Managed Magento hosting. As a certified Level 1 solution provider, we handle all hosting-side compliance requirements so you can work on your store stress-free.
Nexcess also provides support for PCI-DSS compliance reporting. You can ping us to obtain a copy of SAQ D to submit with your report. You can also count on us to perform your quarterly Approved Scan Vendor (ASV) scans.
Thorough security measures
With a payment gateway and PCI-compliant hosting, you’re pretty much good to go, but there are still a few things you’ll need to work on yourself.
First, access should be restricted if necessary. Not every employee in the company needs access to all the data within his Magento website. Make sure only relevant parties have access to payment-related data.
Once that’s resolved, it’s time to implement a password policy.
- Use a unique password: Avoid passwords like “password!” and “default”.
- Enable 2FA: Adds two-factor authentication (2FA) functionality to protect your website from phishing attacks.
- Set password change reminder: Force admin users to change their passwords at least every 90 days.
Finally, only use trusted extensions to power your website management efforts. Magento Marketplace Update them to avoid security vulnerabilities.
Final thoughts: 4 best practices to make your Magento 2 store PCI compliant
As a Magento 2 store owner, complying with PCI-DSS requirements can be difficult. But there’s definitely value in providing a secure checkout experience and building customer trust.
Nexcess has a PCI-compliant host that also provides scalability, performance, and 24/7 technical support.Apply Enterprise hosting required for Magento today.