For many customers and / or online store owners this is a great question. Main concern for customers is if they subscribe to something, that means that someone holds their credit card information (potential risk), and this is important question for store owners as well since they can be fined if they’re not compliant. This article is intended for store customers, store owners and mainly for store developers, as if they know that, others can be informed. Read on!
What is PCI compliant store?
First of all, major question is what is PCI compliant store? In short – its a standard, but to clarify a bit more – Wikipedia states “The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise”. It can be read like this “Standard that helps with keeping both customers and service providers safe from fraud”. So, to conclude this introduction in one sentence – it is a part of the most important part of any online store, the checkout.
Second question and the main topic of this article – Recurring Payments. Again, in short recurring payments are “fancy expression” for payed subscription. And as any subscription – it happens periodically. But if we wish to make payments periodically without customer’s interaction, someone has to hold credit card number and card security code (latter comes at variety of names).
Are Recurring Payments PCI Compliant?
And the main problem – Are Recurring Payments PCI Compliant?
To disappoint you – there’s no simple answer. Any recurring payment system connected with credit card informations can be compliant but it doesn’t have to be. Why you might ask – well, it depends on implementation. I say it depends because of this:
As you can see, payment itself together with credit card information MUST NOT happen on merchant’s online store – it IS NOT PCI Compliant.
In real world credit card data flows as follows: Customer input -> Data is sent to Gateway for authorization -> Gateway sends it to the credit card issuer for authorization -> Gateway gets response form issuer -> Online store gets response from the gateway -> Online store informs customer with the result.
It’s simple as that.
But if you wish Recurring Payment System on your online store, only one that can keep authorization for further automatic payments is the payment gateway. Since each gateway is under constant supervision by card issuer (different set of rules apply for gateway and online store). Above, under the image, inside my comment I wrote one of implementations. Magento works all that communication with gateways over the API, so you physically stay on store, but your data doesn’t – never. So, default Magento IS PCI Compilant.
To conclude, as long as online store DOES NOT store any credit card information on its servers, its all good and PCI compliant.
I hope this wasn’t too boring for anyone since perhaps it is the most important thing regarding online store!