Magento CE, PCI compliance?

[morguk]

Can anyone help me out. I want to use Magento Community Edition to sell things online yet it doesn't have PCI compliance. I was going to buy a Sagepay add-on which is meant to be compliant but isn't PCI compliance server side etc?

I'm pretty confused as I know I need to be PCI compliant to accept web payments right? Yet I don't want to pay $3k for Magento EE.

Any help would be very much appreciated.

 

[feenster99]

As I understand it, a large part of PCI compliance is not storing credit card details on your server. The SagePay add-on should just pass the credit card details through to SagePay for authorisation, and won't store them on your server. That should mean you are OK I believe.

Obviously, PCI compliance is much more than that, but from what you're hinting at, your SagePay add-on shouldn't compromise you.

 

[morguk]

Thanks feenster. After looking into it more, it looks like what you said is correct. As long as you have a payment gateway to another server it's all OK.

 

[TRNC]

Its very simple, you sign up to a compliance company like securitymetrics who we use and they scan your office connection and websites for compliance issues and then give you a report telling you what to fix.

You also fill in a questionnaire about your storage, use and transmission of data.

Its really simple and using sagepay (god help you!) with magento will cover most bases straight off.

 

[morguk]

Its very simple, you sign up to a compliance company like securitymetrics who we use and they scan your office connection and websites for compliance issues and then give you a report telling you what to fix.

You also fill in a questionnaire about your storage, use and transmission of data.

Its really simple and using sagepay (god help you!) with magento will cover most bases straight off.

Cheers for the reply. How long does it usually take once you send off the forms? I'm thinking about using Google Checkout because I'm thinking I don't have enough time for PCI compliance.

BTW what's the deal with Sagepay?

 

[TRNC]

Sagepay are horribly unreliable, google will tell you all you need to know there!!!

PCI compliance can be done in 24 hours or less, the forms are filled online and the scans can be done anytime from then and only take a few hours.

 

[morguk]

Sagepay are horribly unreliable, google will tell you all you need to know there!!!

PCI compliance can be done in 24 hours or less, the forms are filled online and the scans can be done anytime from then and only take a few hours.

Hmm. Who would you recommend for a gateway?

Can I still be PCI compliant with Magento CE as it isn't PCI compliant software? I would then need an SSL certificate too wouldn't I? I understand you should only put it on a few pages so it doesn't slow down the site? I don't know how to do that and can't afford to pay someone. I know Global Gold (who will host on a VPS) want £70 an hour to alter ports for PCI compliance.

 

[TRNC]

Er, anyone other than them!!! We use HSBC and Streamline for ours (we have 2).

There is no such thing as PCI compliant software, only a compliant system with compliant integrated payment be it on site or off site.

You need an SSL cert regardless if ANY personal info is entered on your site, that includes things like name, address etc for registering and of course passwords.

Magento is VERY resource hungry, find a host who know what they are doing to keep it running quickly.

 

[morguk]

Er, anyone other than them!!! We use HSBC and Streamline for ours (we have 2).

There is no such thing as PCI compliant software, only a compliant system with compliant integrated payment be it on site or off site.

You need an SSL cert regardless if ANY personal info is entered on your site, that includes things like name, address etc for registering and of course passwords.

Magento is VERY resource hungry, find a host who know what they are doing to keep it running quickly.

Thank you so much for your help I really appreciate it.

I was going to go with the £24.99 p/m found HERE. What do you think?

So to be PCI compliant I'm looking at an SSL, plus a scan, plus paying Global Gold for a few hours tinkering. Then to submit the 2 documents. I think I'm tier 4, class 1.

It's a lot of extra expense that I don't really want to pay for at this moment in time

 

[TRNC]

I'd speak to TSOHost if i was you, i've got no affiliation to them other than a long standing happy customer.

Speak to your mechant account provider as to PCI compliance as many have affiliation with scanning companies so it only costs £20 or so for the first years compliance.

 

[Ev0]

Just be thankful you're not an issuer trying to be PCI compliant

Scary costs and amounts of work involved for that.