blog logo
[ultimatesocial count="true" networks="linkedin,facebook,twitter" url="" skin="minimal"]

A New Frontier in PCI Compliance in Magento 2.0

Charles Kain • March 30, 2016

By Charles Kain, senior technical architect
payment security, pci compliance







Magento has a strong history with PCI awareness, which is now stronger than ever with the release of Magento 2.0. The eCommerce platform’s newest version takes a big step toward better support and flexibility in managing payments, making platform implementations highly scalable and customizable for eCommerce retailers. This flexibility sets the stage for a new frontier of security and agility.Let’s take a look at what’s new regarding PCI in Magento 2.0.

Let’s take a look at what’s new regarding PCI in Magento 2.0.

What Is PCI?

PCI stands for Payment Card Industry Data Security Standard (PCI DSS), shortened to just PCI. Simply put, PCI ensures the safety of all financial transactions. This goes for any retailer that accepts credit cards, regardless of whether they’re eCommerce or brick and mortar.

We don’t need to stress the importance of ensuring safe financial transactions online. You’re probably aware of the consequences a security breach can have on your business. Besides hefty fines or settlements, one of the biggest fallouts to PCI noncompliance is the lost trust customers have in your business.

A key ingredient in establishing and maintaining trust is to ensure your website is PCI compliant. While PCI compliance extends beyond your platform code—all the way to server and business security practices—we’re only going to focus on PCI compliance as it relates to Magento’s code base. If you want to address your full PCI concerns outside the code base, you should work closely with your platform implementation and hosting teams to ensure you achieve the desired level of compliance.

A New Approach to PCI Compliance in Magento 2.0

Magento 2.0 takes a big step toward greater flexibility by moving away from the all-encompassing Payment Bridge PCI compliance solution. Magento 2.0 improves how it manages internal payment methods such as hosted order pages (HOP) and transparent redirects. This new approach is much more agile, adaptable, and scalable. It will enable your implementation teams to tailor their solutions to meet your specific business needs.

While greater flexibility in managing payments is an improvement in Magento 2.0, it does present a risk. If your approach isn’t properly structured, it’s possible you’ll deviate from PCI compliance best practices. To mitigate this, you should pay special attention to how you architect payment steps on your eCommerce website, with emphasis on following a PCI compliant approach.

Some Things Remain the Same

Even though Magento 2.0’s new code base offers flexibility, default payment methods still provide only the basic services for the most part. Additional features, such as partial capture and online refunding, are typically outside the code base offering. As with Magento 1, you should establish with your implementation team what payment services are needed, then ensure they move in a PCI-aware direction. Before you upgrade to Magento 2.0, you can take advantage of third-party extensions that leverage Magento 2.0’s new payment method features, which is worth investigating for the cost and time savings during platform implementation.

Using an HOP for payment services (where a third-party service hosts the payment collection web page outside the platform) remains a PCI compliant approach in Magento 2.0. Other hosted methods, such as PayPal Express Checkout, solidly support a transparent redirect method in which customers are removed from the eCommerce platform entirely, yet briefly, during payment collection. Either approach is perfectly acceptable and will need to be developed with PCI awareness in mind.

Customization Brings Complexity

Many payment solutions start out as PCI compliant only to slip as customizations are applied. When developing customizations to support added functionality and exceptions, it’s critical—especially with payment methods—to develop the architecture based on your business needs and let that guide the entire process. Without a complete architecture to guide the process, you’re much more likely to deviate from a PCI-aware path. As a bonus to this approach, you’ll have well-documented, PCI-compliant practices to guide future growth of your eCommerce website. As much as possible, document and address every customization early on to maintain PCI compliance throughout the process.

To the New Frontier!

The new PCI approach in Magento 2.0 offers a long-term strategy for improving eCommerce payment methods for years to come. Don’t be fooled by the greater initial effort needed to implement and host the platform. Ultimately, this effort will place your eCommerce platform in a more secure, flexible, and scalable position.

What other aspects of Magento 2.0’s new payment methods features have you noticed?

Charles is a senior technical architect at LYONSCG eCommerce Implementation team. He leads discovery and refinement processes for client requirements, develops scalable enterprise solutions to fit client needs, and acts as a primary technical lead for projects. Charles is a Magento Certified Developer and has several patents in the knife industry for products he has invented.

Charles Kain

About the author

Charles Kain

Subscribe to our blog

Let's discuss the next step in your commerce journey.

XSchedule a meeting