One of the key principles in maintaining PCI compliance is having a strategy to properly process and store credit card payments.
Storing cardholder data in Adobe Commerce is strictly prohibited and doing so could be a violation of your obligations as a merchant under the Payment Card Industry Data Security Standard (PCI-DSS). More information about our shared responsibility model and guidelines for merchant obligations can be found in our shared responsibility guide for Adobe Commerce on the Adobe Trust Center.
We recommend following the best practices below to help ensure you are properly processing payment information on your eCommerce site. Additional guidance on overall security best practices can be found in our security best practices guide for Adobe Commerce on the Adobe Trust Center
If storing cardholder data is needed, then cardholder data should be stored outside of Adobe Commerce with storage safeguards. Having storage safeguards in place for payment details, like credit cardholder data, helps prevent fraud and other potential security issues. In line with other PCI standards, having protections in place is the first line of defense. Some preferred methods to enhance protections of stored data include encryption, truncation, tokenization, one-way hashing, and masking.
Protections for cryptographic keys are vital to data protection strategies. It’s critical to have skilled and trustworthy custodians overseeing these keys.
Finally, a primary account number (PAN) must be unreadable during storage (e.g., masked such as XXX). This includes portable storage and backup media such as flash drives, USB, and external hard drives, and even audit logs.
Safeguarding data during transmission is key to protecting payment information, like cardholder data. When this information is transmitted over open networks, it can become more vulnerable to security issues.
Transmit cardholder data using secure transmission protocols and practices including:
The recommended method to handle cardholder data is to not store the primary account number (PAN) but to tokenize the card with a specific payment processing provider and store the token, card type, and encrypted expiration date. You can use the token as a credential on file for future use as it is unique for each merchant only. Since the token is unique, if there is a security issue, the token in invalidated which helps to prevent fraudulent activity
If you are looking for recommended payment solutions by Adobe, please consider Adobe Payment Services.