According to the Baymard Institute, 18% of customers do not go through with a purchase due to lack of trust in the website. But by adding secure checkout to your Magento store, you can move those customers past the finish line.
However, a secure e-commerce payment involves a long checklist that requires a multifaceted security approach.
The good news? You can check most of the checkboxes and earn your buyers’ trust by being compliant with the Payment Card Industry Data Security Standards (PCI-DSS).
Read on to learn more about PCI-DSS, what it requires, and how to make your Magento store PCI compliant.
PCI-DSS 101
Payment Card Industry Data Security Standards (PCI-DSS) refer to the security requirements that a business must meet to gain support from major payment card networks.
PCI-DSS requirements are defined by the PCI Security Standards Council (PCI SSC), which includes American Express, Discover, JCB, Mastercard, and Visa.
You can find the current PCI-DSS requirements in the image below.
PCI Compliance – Merchant Levels
While PCI requirements remain the same for all merchants, the compliance and audit process varies depending on the number of transactions they process.
Here’s a transaction threshold for each level of trade compliance that you can use to see where your business stands.
Tier 1 Merchant Over six million Visa, Discover or Mastercard transactions per year. More than 2.5 million American Express transactions per year. Over a million JCB transactions per year. Tier 2 Merchant Between one and six million Visa, Discover or Mastercard transactions per year. year. Between 50,000 and 2.5 million American Express transactions per year. Tier 3 Merchant Between 20,000 and one million Visa and Mastercard transactions per year. Between 10,000 and 50,000 American Express transactions per year. Less than a million Discover or JCB transactions per year. Level 4 Merchant Less than 20,000 Visa and Mastercard transactions per year. 10,000 or fewer American Express transactions per year.
Tier 1 merchants must meet the most stringent requirements and be assessed by a Qualified Security Assessor (QSA) to ensure compliance. The remaining merchants typically submit a Self-Assessment Questionnaire (SAQ) to report compliance.
If a merchant is non-compliant with PCI-DSS and suffers a security breach, they can be fined up to $500,000 and may be subject to a suspension of payment method support.
Get fully managed Magento hosting
Accelerate your store’s potential, without the ongoing maintenance
How does Magento handle PCI compliance?
Magento is not automatically PCI compliant as PCI-DSS covers more than just the ecommerce platform, from security to website hosting. However, Magento does not store payment card data, so you can make your Magento store PCI compliant by taking advantage of the tons of options Magento offers.
For starters, you can opt for a payment gateway that takes most of the PCI compliance work off your hands. Similarly, it can be associated with a PCI-DSS compliant secure host to ensure that credit card details are always protected.
Let’s dive deeper into these and other best practices below.
Magento 2 PCI Compliance – Best Practices
Due to PCI-DSS requirements, you need to ensure that cardholder data remains protected throughout the entire checkout process in your Magento store. Here are some ways to achieve it.
Default to Magento compatible payment gateways
With payment gateways, you limit your exposure to sensitive data. With little data to protect and interact with, you have less to worry about.
For example, you can opt for a PayPal Express Checkout like Smartwool. When a user clicks on PayPal Checkout, the browser opens a PayPal window where they can enter their credit card details to pay.
If you choose this method, the buyer interacts directly with PayPal’s servers, so you can typically enjoy simpler compliance requirements and submit the Basic SAQ or SAQ A.
While the above method simplifies the Magento fulfillment process, it is not the smoothest process for clients. They need to jump through multiple hoops just to pay you, which is not something you want if you’re looking to improve the checkout process.
Instead, you can offer overly cautious users a seamless experience with a Stripe integration like Formlabs. With Stripe, the checkout form appears as part of the website, so users don’t have to go to another tab or window to complete purchases.
However, this method makes compliance a bit more complex to achieve.
First, you must include a Stripe (or other payment provider) JavaScript (JS) file on your checkout page to ensure secure processing via Stripe’s API. If you want to avoid using an external JavaScript file, you’ll need to report your compliance through the SAQ A-EP, which has slightly more stringent requirements.
Second, your website must use a Secure Sockets Layer (SSL) certificate.
Add an SSL certificate
SSL encrypts the traffic between the web browser and a web server. In other words, an SSL certificate prevents malicious actors from eavesdropping on the exchange of information between the visitor and the web server on open public networks.
So if you’re asking customers to enter their credentials via a form on your website, you need to use an SSL to be PCI-DSS compliant.
If you associate your website with Nexcess, you get free SSL with all their hosting plans. otherwise you can buy an ssl certificate with Nexcess at an affordable price.
Use PCI compliant hosting
To comply with PCI-DSS requirements, you need a robust firewall, restricted physical access policy, regular network monitoring system, and much more. But you can’t meet these requirements yourself, as they involve protecting customer data in storage and transfer, which are typically handled by your hosting provider.
In short, you need a web host that offers:
Secure Systems – The web host should take necessary security precautions, including reviewing legacy code for possible backdoors. Robust Firewalls – A firewall monitors incoming and outgoing traffic and ensures that only allowed applications can access the system. Vulnerability management: Make sure the web host offers tools like antivirus software to scan and remove viruses without the risk of a data breach. Managed Services – A managed hosting provider keeps the website infrastructure up to date to close security gaps. Restricted access controls: The hosting provider must restrict employee access to sensitive data and systems and only allow it as necessary. The host must also have visitor registration and site-wide surveillance in the data center.
If you are looking for such a host, check out Nexcess managed Magento hosting. As a certified Tier 1 Solution Provider, we handle all your hosting-side compliance requirements, so you can work in your store stress-free.
Nexcess also offers help with PCI-DSS compliance reporting. You can ping us for a copy of our SAQ D to send with your report. And you can also rely on us for quarterly scans from the Approved Scan Vendor (ASV).
Enforce security measures
While payment gateways and PCI-compliant hosting pretty much bail you out, there are still a few things you need to tackle on your own.
To get started, you need to restrict access based on your needs. Not every employee in your company needs access to all the data on your Magento website. Make sure only relevant people have access to payment related data.
Once you’re out of the way, implement a password policy:
Use unique passwords: Avoid passwords like “password!” and “default”. Enable 2FA – Add two-factor authentication (2FA) functionality to protect your website from phishing attacks. Set password change reminders: Require admin users to change passwords at least every 90 days.
Finally, step up your website management game by using only reputable extensions from the Magento Market and updating them to avoid security vulnerabilities.
Final Thoughts: 4 Best Practices to Make Your Magento 2 Store PCI Compliant
As a Magento 2 store owner, meeting PCI-DSS requirements can be a struggle. But it definitely pays to offer a secure payment experience and build trust among your customers.
At Nexcess, you’ll find a PCI-compliant host that also offers scalability, performance, and 24/7/365 technical support. enroll in Nexcess business hosting for Magento today.