The question of whether you can store credit card information within Magento comes up a lot. The answer to this question is unfortunately not very clear when looking for an answer elsewhere including on the Magento website. To clarify the answer to this question, there are a few things that need to be understood including the PCI-DSS, PA-DSS compliance and the difference between them.
What is PCI-DDS?
PCI-DSS is the compliancy of your entire online environment which includes your systems, practices, software, etc. This is the standard that is required to be able to process on-site payments. A software application can never be “PCI compliant” by itself. Magento IS PCI-DSS compliant when the rules of PCI-DSS are followed which include:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
What is PA-DDS?
PA-DSS is a standard for *software applications* dealing with payment processing. PA-DSS was designed to provide the definitive data standard for software vendors that develop payment applications which can store cardholder data securely and prevent them from storing prohibited cardholder data (full mag stripes, CVV2 info, pin numbers, etc).
PCI-DSS and PA-DSS Compliance
PCI DSS standards apply to each merchant who accepts payment via credit cards. There are various rules regarding the securing of credit card information depending on whether you record it on paper, in a computer, or both, and physical security rules also apply if you have credit card terminals.
PA-DSS is the certification being required for commercial applications that process credit cards. This requirement is on the software developers, not the merchants.
An application can be PA-DSS compliant, but the environment may or may not be PCI compliant.
By using a 3rd party plugin or merchant whose software and system IS PA-DSS compliant that can store cardholder data on external systems (Magento Payment Bridge included), it removes the PA-DSS requirement from Magento itself and allows you to be PCI-DSS compliant. This of course holds true if and only if all of the systems and networks this cardholder data traverse are protected. In other words, let’s say that your Magento store isn’t storing cardholder data, but is instead using a PA-DSS compliant third party. Let’s then say that the connection between your Magento store and the third-party is not encrypted or you have debugging enabled for the payment gateway. In such cases, you would NOT be PCI compliant.
Is Magento PA-DDS Compliant
Magento by itself is NOT a PA-DSS certified application. To reiterate, Magento does have the built in ability to store cardholder data in its own database, but you will never be PA-DSS compliant in doing so which prevents you from being PCI-DSS compliant. The Magento application (at any level: CE, PE, EE) has not been PA-DSS certified. Remember, PA-DSS applies to software only, and not the infrastructure. Storing cardholder data in a non-PA-DSS compliant application like Magento will invalidate PCI compliance.
If you do want to store credit card data for any time frame, even if for only a few minutes, you must use either Payment Bridge or a 3rd party plugin / service which is PA-DSS compliant and stores the cardholder information on their servers for later retrieval. In addition to this, the entire flow of cardholder data must be secured. This means all debugging must be off and the connections carrying cardholder information must use some form of SSL/TLS.
Mageno PCI Compliance
Magento Enterprise Edition
Magento Secure Payment Bridge is the easiest way to make your Magento website PCI compliant. The solution is separate from the Enterprise platform, so you don’t need a full website to be compliant. Therefore, you can easily update your ecommerce store without affecting the compliance of Bridge.
The solution stores credit card data and sends a token to the Magento instance. The token makes your system secure, as payment bridge credentials are not enough for getting access to customer data. In case of threats related to your payment bridge, you just need to setup a new instance and get new credentials. Thus, credit card information will remain secure.
Despite the Secure Payment Bridge application meets the above PCI requirements, it is not enough to make your Magento website absolutely secure, since the app must be installed in a PCI DSS compliant environment.
Magento Community Edition
Unfortunately, Secure Payment Bridge is not compatible with this edition. But there are several ways to make your Magento website PCI compliant:
You can use a third party payment methods, for example PayPal express, Authorize.net, etc.
If you choose this option you won’t have to be PCI compliant yourself, because you don’t have to store credit card information on your server. In this case you have to consider that your customers will be redirected to the site of the payment processor and will have to leave your website, which might be inconvenient and interrupt the buying process.
Magento’s Saved Credit Card Option
Again, let me first start off with the fact that this is not a PCI-compliant solution. It’s not ideal. I’d say that this is for emergencies only. And it might even be too risky for your company.
But if a payment gateway goes down completely, and you’re not able to take orders, my recommendation is to do a temporary bypass and turn on the Saved Credit Card Option.
Then, you can use a virtual terminal or other means to manually run the credit card for each order later.
Normally, the saved credit card option is something we use just for testing. It’s not as secure as using a payment gateway. It most likely goes against your merchant agreement that you signed.
But if a payment gateway like Authorize.net is down, my recommendation is to turn this on, save the credit card numbers on the site, and then run them when you are able.
You’ll want to then later remove the stored credit cards from the server, so that you can mitigate any risk of storing credit cards.