What you need to know about PCI DSS Compliance.

May 17 2019 | PayPal editorial staff

One of the biggest challenges facing small businesses is responsible and secure handling of customer data and payment transactions.
Proper handling is a business requirement, and if efforts fall short, you run the risk of exposing private information should your payment systems be breached by online criminals.
 
To help businesses reduce risks around data protection and security, the payments industry established the Payment Card Industry Security Standards Council (also known as PCI SSC or the PCI Council) and PCI DSS. PCI DSS:
  • Requires any organization that handles card information to follow strict security practices designed to protect customer information.
  • Applies to all businesses that store, process, or transmit cardholder data.
  • Covers all payment channels, including retail sales at brick-and-mortar locations, mail and telephone orders, and ecommerce.
 
Penalties for noncompliance can be substantial, and small businesses don’t get any leniency. Following PCI DSS requirements offers the added benefit of helping to make sure your infrastructure is secure: the process can help you close any security loopholes in your business, providing greater protection over the long term. There are six main areas covered by PCI compliance:
 
1. Build and maintain a secure network.
Building a secure network can be more complicated than it seems, since your business is likely using complex, distributed, cloud-based networking to manage customer data and payment transactions. To comply with PCI DSS, any network that handles cardholder data must be segmented – that is, kept separate from other systems, such as internal email. The network must also maintain different firewall rule sets and configurations for databases housing credit cardholder information.
 
The same challenges exist for managing passwords of devices such as routers. Changing passwords often, and creating complex passwords, seem like easy security tasks – yet password mismanagement remains one of the most common ways that business’ networks are compromised.
 
2. Protect cardholder data.
PCI DSS requirements go into great detail about what constitutes cardholder data and how it must be protected when it leaves your business’s networks. One of the best strategies to protect cardholder data is to avoid storing it on your networks at all. If you must store it, reduce the number of places where information is stored and limit the number of points where it could be accessed.
 
In addition, data must be encrypted whenever it travels and wherever it is stored. This typically requires using strong cryptography, as well as tools to manage encryption keys and keep encryption up to date.
 
PCI DSS calls for using strong cryptography and security protocols, such as TLS, SSH, or IPSec to protect sensitive cardholder data during transmission over networks, such as the internet, wireless and cellular technologies, and satellite communications.   
 
3. Create a vulnerability management program.
Malware can wreak havoc by taking advantage of vulnerabilities in operating systems and software. Once they find a way into your network, attackers will look for software vulnerabilities and system misconfigurations to exploit.
 
To help prevent cyberattacks, your operating systems and other software must be kept up to date. Install every software patch as soon as it's available, as well as anti-malware signatures for any anti-virus software your business is running. For customized software, as well as software developed in-house or by a third party, PCI DSS requires secure development and coding techniques to be in place.
 
4. Implement strong access control measures.
The access control requirements of PCI DSS call for careful management of the people who have access to resources in your business. To comply with PCI DSS, your business should restrict access rights to sensitive data using the fewest privileges necessary for each user’s specific job function. You must also document these access controls via written policies, including the specific privileges you’re granting to users.
 
5. Monitor and test networks regularly.
Once you implement strong access controls, you’re ready to monitor your systems to make sure the controls are working. Establish processes that track access to system components, and create automated audit trails. You'll also need to monitor access to those audit trails, all system logins, and failed login attempts.
 
Finally, with all of these PCI DSS processes in place – access controls, systems monitoring, vulnerability management, secure coding practices, encryption, and properly segmented networks – make sure that all of these technologies and procedures are running smoothly. Network security controls need to be tested and updated frequently, along with the proper use of network, host, and intrusion prevention systems.
 
6. Develop an information security policy.
Finally, you must maintain a policy that addresses information security for employees and contractors. An effective security policy informs employees what is expected of them when it comes to protecting cardholder or other sensitive data. The policy also provides your IT department with clear security instructions and objectives. You’ll need to use this written policy to educate people when they’re hired, and to remind them of rules on an annual basis. You must also verify that the policy is available to all relevant users, including vendors, contractors, and business partners.
 
Lastly, if cardholder data is shared with service providers, you must create and maintain policies regarding how you manage these relationships and the service providers’ access to cardholder data.
 
Let PayPal help with data security.
PayPal uses the latest technologies to streamline transactions while implementing methods to help secure card data. If you use PayPal to process credit cards, your customers’ sensitive transaction data never touches your company's servers– helping reduce  your PCI DSS compliance requirements.
 
Learn more about PCI DSS.
For a more detailed look at the basics of PCI DSS compliance:
 
The contents of this site are provided for informational purposes only. You should always obtain independent, professional accounting, financial, and legal advice before making any business decision.

Was this content helpful?

Frequently asked questions.

Magento has announced that it is ending support for all versions of its Magento 1 ecommerce platform, including all future quality fixes and security patches, as of June 30, 2020.

You must migrate to Magento 2 or another platform before June 30, 2020, if you are currently integrated with Magento 1.
 
Consequences of not migrating:
  • Increased risk of data breaches, with possible damage to your brand and reputation.
  • Exposure of becoming a security target without any upgrade or security patches.
  • Falling out of compliance with Payment Card Industry Data Security Standards (PCI DSS). These global standards are set by card entities and apply to all merchants that process payments.
Requirement 6 of the PCI DSS requires merchants to "develop and maintain secure systems and applications by installing applicable vendor-supplied security patches." Without future security patches, Magento 1 merchants will no longer be able to meet this requirement, which could result in costly and time-consuming remediation.

This is not a PayPal-specific requirement. PCI DSS requirements apply to your integrations with card payment brands, such as Visa, MasterCard, American Express, Discover, JCB, and any other payment processor on the Magento 1 platform. Visa has stressed that urgent action is required for merchants to migrate from Magento 1 and advised merchants to be aware of their responsibilities in securing their environment to help prevent the loss of payment card data. 

Please review the Magento Commerce Software End of Support FAQ here.
 
Migrate now to Magento 2 or another Partner.
 

What do I need to do?

If you are currently using Magento 1, you must do one of the following by June 30, 2020:
 

Migrate to the Magento 2 platform

Or migrate to another platform

  • See our Partners page for a list of system integrators and e-commerce solution providers.

FAQs

Q: Which versions of Magento 1 are impacted?

A: All versions of Magento 1 are impacted, including Magento Commerce 1 (formerly known as Enterprise Edition) and Magento Open Source 1 (formerly known as Community Edition).

Q: What happens if I continue using Magento 1 after June 30, 2020?

A: On July 1, 2020, your Magento 1.x platform will no longer be supported by Magento, which includes providing security patches critical to maintaining compliance with the Payment Card Industry Data Security Standards (PCI DSS). The global PCI DSS standards require each entity to “develop and maintain secure systems and applications by installing applicable vendor-supplied security patches.” Because Magento is no longer providing security patches, your integration may become more vulnerable to attacks, potentially resulting in impacts on your brand reputation, as well as potential financial impact. 

This is not a PayPal-specific requirement. PCI DSS requirements apply to your integrations with card payment brands, such as Visa, MasterCard, American Express, Discover, JCB, and any other payment processor on the Magento 1 platform. Visa has stressed that urgent action is required for merchants to migrate from Magento 1 and advised merchants to be aware of their responsibilities in securing their environment to help prevent the loss of payment card data.  
 
Magento Association, a separate entity from Magento, has published the following links providing merchants additional information and resources around the call to action for the upcoming June 30th deadline.   
  1. Magento 1 EOL Blog Post 
  2. Magento 1 Post-EOL resources 

Please review the Magento Commerce Software End of Support FAQ here.

Q: If I get the security patches, does that mean I’m compliant? 

A:  The security patches are one step towards ensuring meeting PCI compliance but do not necessarily equal PCI compliance.We strongly encourage migration from Magento 1 before July 1.

Steps you can take to ensure business continuity and no risk to your business or cardholders include migrating off Magento 1 or to ensure applying the security patches, and other actions such as passing PCI reviews with a Qualified Security Assessor (QSA).


Q: What is the cost of migrating to Magento 2?  

A: It depends on the size of your site and the complexity of the build.  We recommend reaching out to Magento. You may also contact System Integrators to discuss pricing options. 

 
Q: How long does it take to migrate to Magento 2 or a new platform?  

A: This is dependent on the requirements of your site, and the ecommerce platform you’re choosing to move to migration can take a matter of weeks, to several months.  We recommend kicking off your migration project as soon as possible.   
 

Q: What is the cost of the other platforms?  

A: It depends on the size of your site and the complexity of the functionality you want to develop.  You will need to contact the one that is the right fit for your business.  


Q: Does this only affect PayPal merchants?

A. No, all payment processing companies, including Visa, are following the same guidance and urgently advising their Magento 1 merchants to migrate to Magento 2 or another platform.

Q: How do I validate my PCI compliance?

A: The PCI Security Standards site provides a Self-Assessment Questionnaire (SAQ) that you can complete to validate your PCI compliance. One of the requirements of the SAQ form is to install vendor-supplied security patches within one month of release. Because Magento is no longer providing security patches after June 30, 2020, you will no longer be able to comply with Requirement 6, stating that you "develop and maintain secure systems and applications by installing applicable vendor-supplied security patches".

Q: Is there a chance the date will extend beyond June 30, especially given the COVID-19 situation?

A: No, Magento has already extended the deadline 18 months from November 2018 to enable merchants time to upgrade. Magento has confirmed that they will stop all support for Magento 1 as of June 30, 2020.

Q: If PayPal processes my card data, do I still need to comply?

A: Yes, even if you outsource part of your PCI DSS compliance to PayPal, you are still required to install security patches within one month of release, which will no longer be possible after June 30, 2020. In addition to these patches, merchants are responsible for meeting all requirements of their PCI DSS compliance.

Q: What resources are available to help me maintain PCI compliance?

A: PayPal has engaged with select System Integrator Partners to help you migrate to Magento 2.

Q: What are the alternate ecommerce solutions?

A: If you’re looking for alternate solutions, you can review our list of Ecommerce Solution Partners.

Q: Is PayPal providing migration support?

A: If you are based in the United States, you can apply for help to finance the move to Magento 2 Commerce Cloud through the Magento Migration Loan, a type of LoanBuilder Loan*, made available through PayPal.
* The lender for LoanBuilder Loan is WebBank, Member FDIC. This is an invitation to apply and not an offer or commitment to provide capital. Applicants must satisfy certain requirements to be eligible. WebBank is not affiliated with the offer to receive a full credit on the cost of financing and the credit is not part of your credit agreement with WebBank.

Q: What other resources are available?

A: You may find additional information from Magento at:
In order to complete an SAQ, we recommend you enroll with a Qualified Security Assessor (QSA).  At PayPal Powered by Braintree, we strive to make your compliance validation process as easy as possible, and have therefore covered the cost associated with validating PCI DSS compliance through SecurityMetrics, our independent QSA partner. If you need help filling out the SAQ, PayPal Powered by Braintree will also cover the cost of technical support provided directly by SecurityMetrics. However, you may choose to validate compliance through a QSA other than SecurityMetrics.

Within 30 days of signing up with PayPal powered by Braintree, you will receive an email explaining how to create your account with SecurityMetrics. You will have to create a SecurityMetrics account to enroll -- this is separate from your existing PayPal or Braintree log in and is subject to the SecurityMetrics terms of use.

How do I start the SAQ process with SecurityMetrics?

We will send you an email within 30 days of signing up that will include all of the information you need to enroll in SecurityMetrics. You may wish to add the email address PPpbBTMerchantPCI@paypal.com to your email whitelist to ensure you receive it in your inbox. If you don’t receive the email within the 30-day window, you can email us at the same address for further assistance.
Once you have the email, follow these steps to enroll with SecurityMetrics:
  1. Go to the SecurityMetrics PayPal powered by Braintree page.
  2. Click Sign Up and enter the email address associated with your PayPal powered by Braintree account.
  3. Verify your email address.
  4. Review and accept the Terms of Use.
  5. Continue through the wizard and complete the questionnaire about your credit card processing.

What if I’ve already validated my compliance with a different QSA partner, do I still need to enroll with SecurityMetrics?

If you choose to validate compliance through a QSA other than SecurityMetrics, please provide proof of validation no later than 60 days from the date of this notice by sending your Attestation of Compliance (AOC) to PPpbBTMerchantPCI@paypal.com.
 
PayPal has two gateway options that give you different levels of customization for your online checkout pages.

Payflow Link is cost-efficient, PCI-compliant, and works with your existing merchant account. At checkout, your customers enter their payment details on a secure, PCI-compliant template hosted by PayPal. You can choose to integrate our embedded template (which sits right in your website), or you can choose a customizable full-page template. All templates include PayPal and PayPal Credit, so your customers have more options to pay. Payflow Link has no setup or monthly fees.

Payflow Pro is a fully customizable gateway, so you can build a checkout experience as unique as your business—from language and layout to page sequence and PCI compliance options. You can add a PayPal button to help drive more sales, or use our hosted pages and offer PayPal Credit, too. Payflow Pro has a $99 setup fee and a monthly fee of $25.

There are optional features such as additional fraud protection, recurring billing and buyer authentication. Click here to see pricing.
Yes. Your organization is responsible for ensuring that PCI standards are met for all electronic donations, regardless of dollar amount or number of transactions. However, if your organization uses PayPal Payments, the PCI burden is lessened to PayPal because all financial transactions take place on PayPal’s secure servers. For PayPal transactions, your organization won’t have access to or be responsible for sensitive transactional data.

We’ll use cookies to improve and customize your experience if you continue to browse. Is it OK if we also use cookies to show you personalized ads? Learn more and manage your cookies