Magento CE, PCI compliance?

morguk · 15 Dec 2011 at 18:34

Can anyone help me out. I want to use Magento Community Edition to sell things online yet it doesn't have PCI compliance. I was going to buy a Sagepay add-on which is meant to be compliant but isn't PCI compliance server side etc?

I'm pretty confused as I know I need to be PCI compliant to accept web payments right? Yet I don't want to pay $3k for Magento EE.

Any help would be very much appreciated.

morguk · 17 Dec 2011 at 23:28

Thanks feenster. After looking into it more, it looks like what you said is correct. As long as you have a payment gateway to another server it's all OK.

morguk · 20 Dec 2011 at 13:45

TRNC said:
Its very simple, you sign up to a compliance company like securitymetrics who we use and they scan your office connection and websites for compliance issues and then give you a report telling you what to fix.

You also fill in a questionnaire about your storage, use and transmission of data.

Its really simple and using sagepay (god help you!) with magento will cover most bases straight off.

Cheers for the reply. How long does it usually take once you send off the forms? I'm thinking about using Google Checkout because I'm thinking I don't have enough time for PCI compliance.

BTW what's the deal with Sagepay?

morguk · 20 Dec 2011 at 17:36

TRNC said:
Sagepay are horribly unreliable, google will tell you all you need to know there!!!

PCI compliance can be done in 24 hours or less, the forms are filled online and the scans can be done anytime from then and only take a few hours.

Hmm. Who would you recommend for a gateway?

Can I still be PCI compliant with Magento CE as it isn't PCI compliant software? I would then need an SSL certificate too wouldn't I? I understand you should only put it on a few pages so it doesn't slow down the site? I don't know how to do that and can't afford to pay someone. I know Global Gold (who will host on a VPS) want £70 an hour to alter ports for PCI compliance.

morguk · 20 Dec 2011 at 18:36

TRNC said:
Er, anyone other than them!!! We use HSBC and Streamline for ours (we have 2).

There is no such thing as PCI compliant software, only a compliant system with compliant integrated payment be it on site or off site.

You need an SSL cert regardless if ANY personal info is entered on your site, that includes things like name, address etc for registering and of course passwords.

Magento is VERY resource hungry, find a host who know what they are doing to keep it running quickly.

Thank you so much for your help I really appreciate it.

I was going to go with the £24.99 p/m found HERE. What do you think?

So to be PCI compliant I'm looking at an SSL, plus a scan, plus paying Global Gold for a few hours tinkering. Then to submit the 2 documents. I think I'm tier 4, class 1.

It's a lot of extra expense that I don't really want to pay for at this moment in time