Introduction to Magento Security
Last updated on October 28th, 2019
Introduction to Magento Security
Steps to properly secure your Magento site from hackers.
Recent statistics show that Magento is the third most popular ecommerce platform. The unfortunate reality is that data breaches and attacks against ecommerce sites are on the rise, and a large number of Magento sites are not PCI compliant. Many vulnerable Magento websites are targeted by cybercriminals who seek to steal sensitive customer data and credit card information.Protect your Site
This guide intends to educate administrators on basic Magento security techniques and actionable steps showing how to secure Magento websites and how to maintain compliance while reducing the risk of a website compromise.
Ensure Your Magento Site is PCI Compliant
All ecommerce websites must follow the requirements outlined by the Payment Card Industry Data Security Standards (PCI-DSS) — even if they don’t process any payments themselves. If an attacker compromises a site that uses PayPal, for example, they can modify the site and redirect customers to a malicious payment gateway, resulting in lost sales and fraud.
The major credit card companies govern the PCI requirements to ensure the secure handling, transmission, and storage of cardholder information.
If a merchant is found to be noncompliant, they may incur considerable penalties, including suspension or cancelation of credit card payment processing. Noncompliant sites may also see an impact to brand reputation and receive heavy fines from payment industry regulators.
The latest version of PCI DSS is version 3.2.1 which includes 12 requirements distributed between six core domains.
The PCI-DSS Requirements
Build and Maintain a Secure Network and Systems
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update antivirus software or programs
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel
1.1Integrated Payment Gateways
Magento offers integrated payment gateways which allow merchants to securely transmit credit card data.
These solutions use an API or payment form hosted by an external payment processor. With this option, information is sent directly to the payment gateway without sensitive data being stored on the Magento application server—making it easier for site owners to meet PCI requirements.
Learn more about the official Magento Approach to PCI Compliance.
1.2TLS & HTTPS
TLS (previously known as SSL) is a cryptographic protocol used to encrypt data as it travels between computers and servers over the internet.
If you are starting with a new installation, consider launching the entire site over HTTPS. While it doesn’t keep your website safe, it does securely transfer user credentials and protect your visitor’s data when it is transmitted.
Without TLS, data transferred using the unsecured HTTP protocol can be intercepted – including sensitive information like passwords and credit cards.
Magento website administrators should add TLS certificates to all ecommerce websites to protect visitors and securely transmit cardholder data.
TLS allows the use of HTTP/2, a major revision of the HTTP network protocol, which can significantly improve a website’s performance.
HTTPS can also impact your SEO ranking and PCI compliance; Google uses HTTPS as a ranking factor, and this protocol can help you meet the fourth requirement outlined in the PCI-DSS: Encrypt transmission of cardholder data across open, public networks.