Your customers transact on your Magento ecommerce website with their credit cards, debit cards, wallets or net banking. It is your duty to ensure the safety of this sensitive information. To ensure that merchants make an effort to keep the transactions safe and secure, the PCI (Payment Card Industry) has created a compliance policy.
PCI compliance is implemented when all of the following conditions are met:
- A firewall should be installed to protect the debit/credit card information.
- Protection of stored debit/credit card information and cardholder’s information.
- You must make sure that data is encrypted when transferring information across public networks.
- You must install and regularly update an antivirus software.
- If you’ve developed a piece of software or extension, it should be secure.
- You can only access the sensitive information if there is a business need to know.
- You must restrict physical access to cardholder’s information.
- Unique Ids must be assigned to people who can access data.
- All access to network resources and card information must be monitored.
- You need to regularly test information security systems and processes.
- You must have an information security policy in place.
These conditions make up the Data Security Standard of the PCI compliance policy.
Magento 2 allows you to host payment forms on your website or use direct API posts to perform a transaction. Both of these methods make sure that PCI compliance has been implemented on your website.
The host payment forms method allows you to use payment forms provided by payment gateway service providers. These forms are accessible only during checkout and are not hosted by your Magento installation.
The direct post method allows you to transfer the sensitive information directly to payment gateways without storing any data on Magento.
Magento merchants can validate their PCI compliance by complete a self assessment questionnaire.