How to Maintain PCI Compliance

6 minutes Advanced How-To

Overview

Why PCI Compliance Matters

  • Accept cards safely and avoid fines up to $100,000/month
  • Increase customer trust with secure payment handling
  • Reduce annual PCI questions from hundreds to 20–30 with hosted payments
  • Cut assessment time from weeks to hours with SAQ A qualification

Maintain PCI compliance to accept cards safely, avoid fines, and increase customer trust. This guide shows a low-effort path to PCI compliance for Magento stores by outsourcing card data, enforcing HTTPS, hardening Admin, and completing required scans/SAQs. Choosing a hosted redirect flow (often SAQ A) typically reduces annual PCI questions from hundreds to about 20–30 and can cut assessment time from weeks to hours—lowering compliance effort and risk exposure.

Merchants switching from on-site card forms to hosted redirect/hosted fields typically reduce annual PCI questionnaire effort by 70–90% and lower breach exposure from form-jacking. Enabling 3DS2 and network tokenization (when supported by your gateway) can improve authorization rates by 1–3% in regulated markets and reduce fraud losses, translating to lower compliance cost, direct revenue lift, and improved margins.

Plan on 90–120 minutes to complete the technical steps and validation (excludes acquirer/QSA coordination).

Version compatibility: Written for Magento 2.4.x. If you're on an older version, upgrade to 2.4.6+ for built‑in 2FA and security updates.

Prerequisites

Before you begin, make sure you have:

Admin Panel Access

Access to Magento Admin Panel

Payment Provider Account

Active payment gateway account (PayPal, Braintree, Adyen, etc.)

SSL Certificate

Valid TLS certificate for all store domains and subdomains used during checkout

SSH Access

SSH access to the application server with Composer and bin/magento CLI permissions

What You'll Accomplish

By following this guide, you will:

  • Reduce your PCI scope by using hosted/tokenized payments
  • Enforce HTTPS/TLS 1.2+ across your store
  • Harden Admin access (2FA, reCAPTCHA, least privilege)
  • Pass security scans and complete the correct SAQ

Step-by-Step Instructions

0

Select a hosted or tokenized payment flow to minimize PCI scope

Decide on a gateway and integration type that keeps card data off your servers. Prefer one of the following integration types:

  • Hosted payment page (full redirect)
  • Gateway-hosted fields/iframes via the official Magento extension (e.g., PayPal Smart Buttons, Braintree Hosted Fields, Adyen Drop-in)

Avoid custom on-site card forms. They require SAQ D and significantly increase your compliance burden.

Business value: Hosted redirects can qualify for SAQ A, reducing PCI effort substantially (fewer questions, faster assessments) and lowering breach exposure. Merchants moving to hosted redirect or hosted fields often see 70–90% less PCI questionnaire effort and fewer form‑jacking risks.

Confirm with your acquirer/QSA which SAQ applies. Full redirect or gateway-hosted payment pages typically qualify for SAQ A. Hosted fields/JS integrations often require SAQ A-EP even when card data never touches your server.

1

Enforce HTTPS everywhere with modern TLS

In Magento Admin, go to Stores › Configuration › General › Web. Under Base URLs (Secure), set Secure Base URL to your HTTPS URL with a trailing slash (e.g., https://example.com/). Set Use Secure URLs on Storefront = Yes and Use Secure URLs in Admin = Yes. Save and then flush the Magento cache.

At your web server/CDN, force HTTP→HTTPS redirects and disable TLS 1.0/1.1. Optionally enable HSTS at the edge (start with a short max-age).

Cookie security: In Admin, go to Stores › Configuration › General › Web › Default Cookie Settings and set Use HTTP Only = Yes. With HTTPS enforced, Magento will set the Secure flag on session cookies.

Test your domain with SSL Labs and remediate any grade lower than A. Ensure only TLS 1.2/1.3 are enabled and weak ciphers are disabled.

2

Install and configure the official gateway extension

Install the vendor's official Magento 2 extension (Marketplace or Composer).

Install and deploy

  1. 1. Enable maintenance mode and ensure backups: run bin/magento maintenance:enable
  2. 2. Composer install: composer require adyen/module-payment:^<latest-major>
  3. 3. Upgrade Magento: bin/magento setup:upgrade
  4. 4. If production mode, run: bin/magento setup:di:compile and bin/magento setup:static-content:deploy -f
  5. 5. Clear cache: bin/magento cache:clean
  6. 6. Disable maintenance mode: bin/magento maintenance:disable

Configure in Admin

  1. 1. Go to Stores › Configuration › Sales › Payment Methods and locate your gateway
  2. 2. Enter API credentials (start with sandbox). Enable tokenization/vault if available
  3. 3. Enable 3D Secure 2.x for PSD2 SCA compliance and fraud reduction
  4. 4. Set payment action: Authorize Only (for preorders) or Authorize and Capture (for immediate shipment)
  5. 5. Configure gateway webhooks/notifications and whitelist gateway IPs if required
3

Verify no card data touches your servers

In sandbox, place a test order. Open your browser's developer tools (Network tab) and confirm card iframes/scripts load from gateway domains (e.g., *.adyen.com, *.braintreegateway.com, *.paypal.com), not your store's domain.

On the server, inspect var/log and your web server logs. Ensure logs never contain PAN or CVV. If any sensitive data appears, stop testing, purge logs securely, and remediate immediately.

Database verification (tokenization): 

SELECT entity_id, payment_method_code, public_hash, type, token_details
FROM vault_payment_token LIMIT 5;

Verify token_details contains masked card data (e.g., ****1111) and no PAN/CVV.

4

Harden Magento Admin and checkout

  • Enforce 2FA (Magento 2.4+): Go to Stores › Configuration › Security › 2FA and enable providers (Google Authenticator, Duo Security, WebAuthn)
  • Change the Admin URL: Stores › Configuration › Advanced › Admin, set a custom Admin path
  • Configure least-privilege roles: System › Permissions › User Roles
  • Enable Google reCAPTCHA: Configure separately for Admin Panel and Storefront under Stores › Configuration › Security
  • Strengthen password and session security: Stores › Configuration › Advanced › Admin › Security
  • Add a Content Security Policy (CSP): Restrict scripts to trusted domains (your store, CDN, payment gateway)

Use reCAPTCHA v3 on checkout to minimize friction, but start with a moderate threshold (e.g., 0.3–0.5) and monitor conversion. If legitimate customers are challenged, lower the threshold.

5

Keep Magento and extensions updated; run Adobe Security Scan

Apply the latest Magento security patches and extension updates in staging, then production, following your change-control process.

Sign in to your Magento/Adobe Commerce account and register your site in the Security Scan tool. Follow the "Register your site" steps to verify ownership and schedule recurring (e.g., weekly) scans. Review findings and remediate promptly.

6

Schedule quarterly ASV scans and complete the correct SAQ

Most acquirers require quarterly external ASV scans for any merchant with Internet-facing domains in scope. Confirm scope and targets with your acquirer/QSA to ensure you scan all required hosts.

Use PCI SSC SAQ instructions to determine your SAQ type (A, A-EP, D, etc.). Complete the SAQ in your acquirer's portal and retain the Attestation of Compliance (AOC).

Examples (confirm with your acquirer/QSA):

  • PayPal Smart Buttons with full redirect → typically SAQ A
  • Adyen/Braintree hosted fields (card entry iframe on your site) → typically SAQ A‑EP
  • Custom on-site card forms or direct post → SAQ D for merchants

Operational value: Correctly scoping to SAQ A (when eligible) often eliminates internal network controls from the questionnaire and can cut annual compliance preparation from several weeks to a few hours.

7

Document and operationalize compliance

Create a simple compliance runbook that includes:

  • Gateway AOC on file, SAQ/ASV schedule, update cadence, key contacts, change control, and incident response steps
  • Quarterly access review of admin users/roles and monthly log review procedures
  • Backup/restore testing schedule and annual security training tracking
  • Credential hygiene: rotate API keys and admin credentials regularly

Incident Response

Immediately isolate affected systems, preserve logs, notify your acquirer within 24 hours, engage a PCI-approved forensic investigator (PFI) if directed, rotate all credentials, and communicate with customers per legal counsel.

Verification

Use this checklist to confirm everything is working correctly:

  • Payment Integration
    • SAQ type confirmed with acquirer/QSA and documented
    • Sandbox order succeeds; webhooks update order status automatically
    • 3DS2 flows work as expected
  • HTTPS/TLS Configuration
    • SSL Labs reports grade A
    • Only TLS 1.2/1.3 enabled
    • HTTP→HTTPS redirects enforced; HTTPOnly cookies enabled
  • Card Data Isolation
    • Browser shows payment fields from gateway domain
    • Database stores only tokens/masked data
    • No PAN/CVV in logs
  • Admin Security
    • 2FA enforced on admin login
    • reCAPTCHA tuned for low checkout friction
    • Password/session policies applied; Admin URL changed
  • Security Scans
    • Adobe Commerce Security Scan shows no critical/high issues
    • Recurring scans scheduled
  • Compliance Documentation
    • Quarterly ASV scan passed for all in-scope hosts
    • Correct SAQ completed; AOC stored
    • Compliance runbook maintained with owners and cadence
    • Training records up to date; incident response plan documented

Common Issues and Solutions

DavidLambauer DavidLambauer 92 1 carl-simpson carl-simpson 8 2
View all contributors
Edit this page on GitHub