blog logo
thumbnail

Maintaining PCI Compliance for Your Magento Store

Mark Hodge • November 7, 2014

Target. Home Depot. TJX Companies. What do they all have in common? Data breaches.

Data breaches can be debilitating to a company’s reputation and health. For example, the December 2013 data breach at Target resulted in a 46% decline in profits and cost the company $146 million in data breach-related expenses.[1] The business risks of security breaches are too great to ignore.

As a merchant, it is your obligation to maintain a secure environment for processing, storing, or transmitting your customers’ credit card data. The requirements to do so are outlined by the Payment Card Industry Data Security Standard, or PCI DSS. By following these requirements, your customers can have confidence that they’re proteclock2ted against the risks of data breaches.

An easy and cost saving solution for those on the Magento platform to remain PCI compliant is Magento’s Secure Payment Bridge.[2] This application is separate from the Magento Enterprise platform, which is beneficial because:

  • Only the application has to be compliant rather than the whole platform
  • You can update to a newer version of Magento Enterprise without affecting the compliance of the Secure Payment Bridge

Magento’s Secure Payment Bridge works by storing credit card information and sending a token to the Magento instance. This is secure because someone would need to know the token for a particular user along with the payment bridge credentials. If the payment bridge is ever compromised, you can setup a new instance which will generate new credentials to be used in the Magento instance. This ensures that credit card information is still secure.

The Secure Payment Bridge is certified by a Qualified Security Assessor (Trustwave), as required, and meets the following twelve requirements mandated by the PCI DSS:

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for system passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Use and regularly update anti-virus software
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Assign a unique ID to each person with computer access
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security

While Magento Secure Payment Bridge adheres to the above requirements, it is important to note that the application must be implemented in a PCI DSS compliant environment. To learn more about PCI compliance, please visit: www.pcisecuritystandards.org

 

Mark Hodge is a Senior Applications Engineer at Lyons Consulting Group. Mark is an alum of DeVry University-Illinois where he earned his BS in Computer Science. Mark is also Magento Certified Developer Plus Engineer.

 

[1] Home Depot: Could The Impact Of The Data Breach Be Significant? (2014, September 24). Forbes. Retrieved from http://www.forbes.com/sites/greatspeculations/2014/09/24/home-depot-could-the-impact-of-the-data-breach-be-significant/

[2] PCI Compliance Requirements & Secure Payment Systems. (n.d.). Retrieved November 5, 2014.


Mark Hodge

About the author

Mark Hodge

Subscribe to our blog

Let's discuss the next step in your commerce journey.

XSchedule a meeting