What is PCI Compliance?
PCI Compliance upholds a set of security standards relating to the protection of card data during the time of occurrence and completion of a financial transaction.
The Payment Card Industry Data Security Standard (PCI DSS) pertains to companies of any size that accept credit card payments. If your company aims to accept card payments, along with the store, process, and transmit cardholder data, you need to host your data securely with a PCI compliant hosting provider.
A PCI compliant hosting provider should provide multiple layers of defense, along with a secure data protection model that merges physical and virtual security methods. The virtual security method includes authorization, authentication, and passwords, etc., whereas physical security includes restricted access and server, storage, and networking cabinet locks, according to Computerworld.com
PCI v3.0 – SAQ A Compliant
When implementing either of the following integration methods, the Merchant has no way to access the raw card data in support of PCI v3.0 SAQ A compliance. Either the IFrame or the entire payment page is hosted within the payment gateway center depending upon which method you choose. This method is more recommended, as it is more secure than the other method.
PCI v3.0 – SAQ A-EP Compliant
- Form Post
When implementing the Form Post or Ajax integration method, the developers must ensure that they do not post nor send raw card numbers in their environment.
As an added security measure, sensitive authentication data, including card validation codes or PIN numbers, must never be stored after authorization – even if this data is encrypted.
Paymetric Payment method
A well-known payment method that prevents credit card fraud with Address Verification System (AVS) is Paymetric. There is an extension available for Magento 1, as well as Magento 2. This payment method is used to tokenize and authorize credit card data before the order is placed. Paymetric’s payment method overwrites the default credit card method to provide a payment process while in the checkout process.
PCI compliance while using Paymetric
Paymetric’s payment method overwrites the default Credit Card (CC) method to tokenize and authorize service on that. The credit card form displays on the checkout page in order to obtain the credit card details from the cardholder or customer. Getting the credit card data directly from the eCommerce site and storing it into a database is PCI compliance. So what should we do to avoid this? There’s a solution provided by the Payment Card Industry Data Security Standard (PCI DSS).
Here is a tricky solution to overcome that issue:
Paymetric provides an iframe form to process credit card data and returns a token to authorize. Therefore, we need to implement this iframe form instead of a default credit card form. Using an iframe credit card form to process credit card data provides the tokenization response. We will receive that tokenized data, which will set the payment data and submit the order. With submitting the tokenized data instead of an actual credit card form, Magento will not be accepting that, so we need to change or avoid the default credit card validation by using the token data from the Paymetric method to process the authorization and payment.
For this process, we will need to follow the steps below:
- Create an XML with the required input fields and validation, then place it inside the helper directory or anywhere that could be accessible by the helper function in the Paymetric module. These XML files are provided by Paymetric, along with their documentation. The XML file will look something like shown below.
<errorTooltip class="errorTooltip" show-effect="fadeIn" show-duration="5000" hide-effect="fadeOut"
<tag name="div" class="card_type_xiframe right_column">
<label for="cardType" text="Card Type"/>
<tag name="span" class="xiframe_required">*</tag>
<ddlCardType id="cd" default-text="Credit Card Type">
<validationMsg for="cardType" class="valmsg"/>
<tag name="div" class="card_number_xiframe left_column">
<label for="cardNumber" text="Credit Card Number"/>
<tag name="span" class="xiframe_required">*</tag>
<tboxCardNumber tokenize="true" class="textbox-paymetric"/>
<validationMsg for="cardNumber" class="valmsg"/>
- Next, add a function in helper to get the iframe URL using Paymetric configuration details. Then, pass on this URL to a particular UI component of the payment method.
- Design the iframe form like your actual form (optional). The CSS URI is used for styling the iframe.
- While hitting the ‘place order’ button in the checkout page, we need to add a function to submit the iframe form and get the response token from the Paymetric.
- Collect and pass access and signed tokens to the helper function for verification.
- If tokens are verified, then populate those details into an actual credit card form and place the order. (Here, the credit card number is not populated, and we did not get a credit card number from the Paymetric. Instead, we used a token number as the card number.)
- After it populates the data, continue the checkout process to place the order. (If we get any error in the authorization process, we need to perform all the steps again from step 2.)
This is one of the solutions that we have applied on several websites to solve the PCI compliance issue. Based on the website and platform, it may vary. If you found this blog helpful, then please do let us know if you have any queries.