The question of whether you can store credit card information within Magento comes up a lot here at Nexcess. The answer to this question is unfortunately not very clear when looking for an answer elsewhere including on the Magento website. To clarify the answer to this question, there are a few things that need to be understood including the difference between PCI-DSS and PA-DSS compliance.
PCI-DSS is the compliancy of your entire online environment which includes your systems, practices, software, etc. This is the standard that is required to be able to process on-site payments. Magento IS PCI-DSS compliant when the rules of PCI-DSS are followed which include:
- Build and Maintain a Secure Network
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
PA-DSS is a standard for *software applications* dealing with payment processing. PA-DSS was designed to provide the definitive data standard for software vendors that develop payment applications which can store cardholder data securely and prevent them from storing prohibited cardholder data (full mag stripes, CVV2 info, pin numbers, etc).
A software application can never be “PCI compliant” by itself. A software application can be PCI compliant if the environment is also PCI compliant, which would include the way an application flows. An application can be PA-DSS compliant, but the environment may or may not be PCI compliant.
Magento by itself is NOT a PA-DSS certified application if it is storing cardholder info in its database. Because of this, you cannot store credit card information inside Magento and be PCI compliant. The PA-DSS requirements are strictly for storing cardholder data, which is why Magento produced payment bridge which IS a PA-DSS compliant application.
By using a 3rd party plugin or merchant whose software and system IS PA-DSS compliant that can store cardholder data on external systems (Magento Payment Bridge included), it removes the PA-DSS requirement from Magento itself and allows you to be PCI-DSS compliant. This of course holds true if and only if all of the systems and networks this cardholder data traverse are protected. In other words, let’s say that your Magento store isn’t storing cardholder data, but is instead using a PA-DSS compliant third party. Let’s then say that the connection between your Magento store and the third-party is not encrypted or you have debugging enabled for the payment gateway. In such cases, you would NOT be PCI compliant.
To reiterate, Magento does have the built in ability to store cardholder data in its own database, but you will never be PA-DSS compliant in doing so which prevents you from being PCI-DSS compliant. The Magento application (at any level: CE, PE, EE) has not been PA-DSS certified. Remember, PA-DSS applies to software only, and not the infrastructure. Storing cardholder data in a non-PA-DSS compliant application like Magento will invalidate PCI compliance.
If you do want to store credit card data for any time frame, even if for only a few minutes, you must use either Payment Bridge or a 3rd party plugin / service which is PA-DSS compliant and stores the cardholder information on their servers for later retrieval. In addition to this, the entire flow of cardholder data must be secured. This means all debugging must be off and the connections carrying cardholder information must use some form of SSL/TLS.