PCI DSS Compliance Notebook


What is the Payment Card Industry Data Security Standard (PCI DSS) about?


Self Assessment

When do you need and what is required to perform a self assessment?


Stripe & PCI DSS Compliance

What does Stripe say about PCI DSS compliance?

  • https://stripe.com/elements

    • Stripe Elements are the easiest way to keep up with current PCI regulations — no sensitive data hits your servers.

      You qualify for the easiest form of PCI compliance, which shields you from costly and time-sensitive audits.

      We even auto-generate the Self Assessment Questionnaire (SAQ A) documentation.

  • https://stripe.com/docs/stripe-js#stripe-checkout

    • Because all sensitive information is handled by Stripe.js, it features simple PCI compliance with SAQ A reporting
  • https://stripe.com/docs/security#validating-pci-compliance

  • You can simplify your PCI compliance as long as you:

    • Use Checkout, Stripe.js and Elements, or our mobile SDK libraries to collect payment information, which is securely transmitted directly to Stripe without it passing through your servers
    • Serve your payment pages securely using Transport Layer Security (TLS) so that they make use of HTTPS
    • Review and validate your account’s PCI compliance annually
  • Manually creating card payments through the Dashboard is meant only for exceptional circumstances.

    • This method should not be how you routinely processing payments—your customers should be entering their card information into a suitable payment form or mobile application.
    • When card information is manually entered into the Dashboard, we cannot verify that it’s being kept secure outside of Stripe.
    • You are then responsible for ensuring the protection of card data in accordance with the PCI compliance requirements.
    • You’ll be required to upload your SAQ C-VT annually to prove your business is PCI compliant.

Magento Extensions, Stripe & PCI DSS Compliance

What is the typical status quo of extensions in Magento with respect to PCI DSS compliance?

  • https://github.com/mage2pro/stripe - uses Stripe Elements since v2.2.0

  • https://marketplace.magento.com/magenest-module-stripe.html - IFrame Payment: PCI Compliance using SAQ A.

  • https://github.com/pmclain/module-stripe - no information

  • https://www.magedelight.com/magento2-stripe-payment-module.html - “Client side tokenization provides PCI DSS compliance”

    • PCI compliance is a concern of almost everyone and we have been enquired a lot of times about it.
    • PCI compliance is applicable to every aspect of any online business dealing with sensitive data like passwords, server, process implementation, consistent security process checks and updates, all integrated payment methods etc.
    • We can assure that this extension is PCI compliant and will not affect your business security.
    • Additionally, it doesn’t keep any details/data of cards being used with this payment method.
    • This payment method is in the scope of PCI SAQ D. For more details, please read the PCI DSS self-assessment questionnaires (SAQs)

Managed Hosting of Magento & PCI DSS Compliance

When a company is managing the hosting of Magento on your behalf, is that PCI DSS compliant?

Nexcess - An Example of Managed Magento Hosting in Australia

  • https://www.nexcess.net.au/magento/hosting
  • “A 100% fully PCI compliant hosting environment”
    • $~30-40 AUD/month for AU SIP 100 Shared Resource
    • Up to 100 Daily Visitors
    • Dell Enterprise Server
    • 7.5 GB Disk Space RAID-10
    • 24 GB DDR3 1333Mhz RAM
    • 75 GB/mo Bandwidth**
    • 1 Dedicated IP
    • 9 Additional Stores
    • 30 Accounts per Server
    • E-mail Hosting Included
    • Recommended for Magento Open Source 1.x or 2.x

Nexcess & PCI Compliance

  • https://www.nexcess.net/compliance/pci-compliant-hosting
  • Merchants using Magento, WooCommerce, or another eCommerce platform to handle credit card data can achieve PCI DSS compliance more quickly by hosting on our PCI DSS-compliant platform, which are are subject to an annual external PCI DSS assessment.
  • However, some elements of PCI DSS compliance can only be fulfilled by the merchant.
  • Our PCI DSS compliance complements the merchant’s efforts, but does not replace them.
  • Merchants must meet all other PCI requirements, including requirements that involve the application and cardholder environment.
  • https://docs.nexcess.net/article/what-is-pci-dss-compliance.html

Considerations Summary

  • Even though the host is providing a 100% fully PCI compliant hosting environment, if you use Stripe then your business would still need to assess for PCI Compliance. Neither Magento nor Nexcess take 100% PCI DSS responsibility as Stripe is not embedded in any product they own or sell.
  • By comparison, with BigCommerce or Shopify, your business does NOT itself need to assess for PCI Compliance.

Self Hosting Magento / eCommerce Store & PCI DSS Compliance

When you are self hosting Magento, will that be PCI DSS compliant?


  • All servers are self-hosted

Considerations Summary

  • Your business must assess annually for full PCI Compliance - much more stringently than managed hosting.