Is Magento PCI Compliant?

Accepting credit and debit card payments on your website is a huge responsibility. In order to apply for a merchant account to use online, your site will have to be fully PCI compliant. For this reason, many people want to know whether or not Magento is PCI compliant out of the box. Today we will aim to answer this question, while also looking into what PCI compliance is and why you should care.

What is PCI Compliance?

PCI DSS stands for Payment Card Industry Data Security standard. This sets out a series of standards designed to protect sensitive information required when processing card payments. If your business accepts card payments online, in store or over the phone then you will need to comply with PCI DSS standards, regardless of your size.

Why is PCI Compliance Important?

When anyone pays for anything with a debit or credit card, sensitive information is transferred and stored. If this data is stored in an insecure way, then it could compromise the person’s security. As a result, if anyone wants to accept card payments then they will need to ensure they are PCI compliant.

Why Does Magento Have to Be PCI Complaint?

PCI compliance isn’t something that is optional. If you want to accept card payments directly through your store, then your Magento site must be PCI compliant. Credit card companies and payment gateways all require this sensitive information to be treated securely at all times.

Getting PCI compliance with other open source shopping carts can be much more difficult. Magento has been designed to be PCI compliant which makes this much more straight forward.

Is Magento PCI Compliant?

Magento can be fully PCI compliant if it is set up correctly. However, you will need to ensure that you use the built in payment gateways. These gateways directly pass information to the payment gateway provider, rather than storing or processing any information through your own site. Integrated payment gateways create a seamless experience for customers, but the last part of the payment is actually conducted directly through the gateway.

Magento 2 uses direct post techniques to transmit card numbers and sensitive information without any risk to the card holder. This passes PCI compliance requirements since the information is transmitted through the payment gateway site.


PCI compliance is very confusing at the best of times. If you are having trouble getting payment gateways to agree that your site is PCI compliant, then you might need to hire an expert.