One of the key principles in maintaining PCI compliance is having a strategy to properly process and store credit card payments.
Storing cardholder data in Adobe Commerce is strictly prohibited and doing so could be a violation of your obligations as a merchant under the Payment Card Industry Data Security Standard (PCI-DSS). More information about the shared responsibility model and guidelines for merchant obligations is available in the Adobe Commerce Shared Responsibility Model Guide on the Adobe Trust Center.
Follow the best practices below to ensure that you are properly processing payment information on your eCommerce site. For additional guidance on security best practices, see Secure your site and infrastructure.
If storing cardholder data is needed, then cardholder data should be stored outside of Adobe Commerce with storage safeguards. Having storage safeguards in place for payment details, like credit cardholder data, helps prevent fraud and other potential security issues. In line with other PCI standards, having protections in place is the first line of defense. Some preferred methods to enhance protection of stored data include encryption, truncation, tokenization, one-way hashing, and masking.
Protections for cryptographic keys are vital to data protection strategies. It’s critical to have skilled and trustworthy custodians overseeing these keys.
Finally, a primary account number (PAN) must be unreadable during storage, for example masked with
XXX. This includes portable storage and backup media such as flash drives, USB, and external hard drives, and even audit logs.
Safeguarding data during transmission is key to protecting payment information, like cardholder data. When this information is transmitted over open networks, it can become more vulnerable to security issues.
Transmit cardholder data using secure transmission protocols and practices including:
The recommended method to handle cardholder data is to tokenize the data instead of storing it. Tokenize the card with a specific payment processing provider and store the token, card type, and encrypted expiration date. You can use the token as a credential on file for future use as it is unique for each merchant only. Since the token is unique, if there is a security issue, the token in invalidated which helps to prevent fraudulent activity.
If you are looking for recommended payment solutions by Adobe, consider Adobe Payment Services.