Earning and keeping your trust is our highest priority. In doing so, we can also help you to meet your organization’s compliance needs.
PCI compliance isn’t optional for merchants who process credit cards and store cardholder information. The credit card associations require merchants to securely handle this information at all times. Merchants who fail to comply with PCI requirements risk large fines and could have their ability to process credit cards terminated by card associations or acquiring banks. PCI compliance requires that merchants safeguard their customers’ payment card information. This means following PCI security requirements which include having in place appropriate policies and procedures, software design, and network architecture.
There are two ways in which Magento helps merchants be compliant:
First, Magento Commerce Cloud is PCI certified as a Level 1 Solution Provider, so any merchants using Magento Commerce Cloud can use Magento’s PCI Attestation of Compliance to aid their own PCI certification process.
Second, Magento makes PCI compliance for merchants easier by offering integrated payment gateways that allow merchants to securely transmit credit card data via direct post API methods or with hosted payment forms provided by the payment gateway and integrated with the merchant’s checkout pages. The Direct Post method allows for information to be sent directly to the payment gateway without sensitive data flowing through or being stored on the Magento application server. The hosted payment forms allow merchants to offer a seamless checkout as well by integrating the payment forms into checkout but with the form hosted by the payment gateway rather than by the Magento application server. By keeping sensitive data outside of the Magento application server, this enables updates to the core Magento Commerce application with new marketing, merchandising and content management capabilities, without having to go through PCI compliance re-assessment of the entire Magento Commerce platform. As a result of these integration options, Magento merchants who use one of Magento’s integrated payment options are able to validate for compliance via self-assessment at the SAQ A or SAQ A-EP level rather than the more difficult SAQ D level.
For more information on PCI Compliance please visit the PCI Security Standards Council website.
SOC 2 compliance
A SOC 2 report is an attestation report that documents an organization’s internal controls that are in place to meet one or more of the SOC 2 Trust Services Principles’ (TSPs) criteria for Security, Availability, Processing Integrity, Confidentiality, and/or Privacy. A SOC 2 report may be either a point-in-time report (Type 1) or cover a period of time (Type 2).
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. These reports can play an important role in:
- Oversight of the organization
- Vendor management programs
- Internal corporate governance and risk management processes
- Regulatory oversight
SOC 2 reports can include from one to all five of the TSPs. Each report is required to include at least Security.
Magento Commerce Cloud obtained a SOC 2 relative to the “Security” TSP.
Verifying our security practices
We use independent third-party auditors to test our systems and controls against some of the most widely-accepted security standards and regulations in the world, such as PCI and SOC 2. These reviews occur at least annually and are conducted by globally-respected audit and security firms that are independent and thorough in their inspections.
Compliance and certification documents can be requested through a Magento sales representative (firstname.lastname@example.org), or, for current Magento customers, through the Magento account management team.