Introduction to Magento Security

Steps to properly secure your Magento site from hackers.

Recent statistics show that Magento is the third most popular ecommerce platform. The unfortunate reality is that data breaches and attacks against ecommerce sites are on the rise, and a large number of Magento sites are not PCI compliant. Many vulnerable Magento websites are targeted by cybercriminals who seek to steal sensitive customer data and credit card information.

Protect your Site

This guide intends to educate administrators on basic Magento security techniques and actionable steps showing how to secure Magento websites and how to maintain compliance while reducing the risk of a website compromise.

This guide is not legal advice.

We encourage any ecommerce website owner to proactively familiarize themselves with the legal guidelines associated with running an ecommerce store and reach out to an attorney for any compliance-related queries.

Ensure Your Magento Site is PCI Compliant

All ecommerce websites must follow the requirements outlined by the Payment Card Industry Data Security Standards (PCI-DSS) — even if they don’t process any payments themselves. If an attacker compromises a site that uses PayPal, for example, they can modify the site and redirect customers to a malicious payment gateway, resulting in lost sales and fraud.

The major credit card companies govern the PCI requirements to ensure the secure handling, transmission, and storage of cardholder information.

If a merchant is found to be noncompliant, they may incur considerable penalties, including suspension or cancelation of credit card payment processing. Noncompliant sites may also see an impact to brand reputation and receive heavy fines from payment industry regulators.

Did you know?

The average cost of a data breach (including fines, insurance, incident response, and other factors) for small businesses is $120,500 and enterprise organizations pay an average of $1.23 million dollars.

You can sign up for our free PCI Compliance email course to learn more about the requirements and protect your store.

The latest version of PCI DSS is version 3.2.1 which includes 12 requirements distributed between six core domains.

The PCI-DSS Requirements

Build and Maintain a Secure Network and Systems

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update antivirus software or programs

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need to know

Requirement 8: Identify and authenticate access to system components

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel

1.1Integrated Payment Gateways

Magento offers integrated payment gateways which allow merchants to securely transmit credit card data.

These solutions use an API or payment form hosted by an external payment processor. With this option, information is sent directly to the payment gateway without sensitive data being stored on the Magento application server—making it easier for site owners to meet PCI requirements.

Learn more about the official Magento Approach to PCI Compliance.

Don’t incur penalties, large fines, or lose the ability to accept payments on your Magento website.

Read Our PCI Guide

1.2TLS & HTTPS

TLS (previously known as SSL) is a cryptographic protocol used to encrypt data as it travels between computers and servers over the internet.

If you are starting with a new installation, consider launching the entire site over HTTPS. While it doesn’t keep your website safe, it does securely transfer user credentials and protect your visitor’s data when it is transmitted.

Without TLS, data transferred using the unsecured HTTP protocol can be intercepted – including sensitive information like passwords and credit cards.

Magento website administrators should add TLS certificates to all ecommerce websites to protect visitors and securely transmit cardholder data.

TLS allows the use of HTTP/2, a major revision of the HTTP network protocol, which can significantly improve a website’s performance.

HTTPS can also impact your SEO ranking and PCI compliance; Google uses HTTPS as a ranking factor, and this protocol can help you meet the fourth requirement outlined in the PCI-DSS: Encrypt transmission of cardholder data across open, public networks.

You can chat with us to learn how we can help you activate TLS/HTTPS via our cloud-based WAF.

We offer a comprehensive guide detailing the steps you’ll need to take to install an SSL certificate on your Magento site.

Learn More

Did you know?

In July 2018, Google released a Not Secure label for Chrome users to indicate if a website handling credit cards or passwords was not using HTTPS.

These labels can significantly impact traffic and brand reputation for your website.