Security and Compliance
Security is of the utmost concern in Payment Services and no private or Payment Card Industry (PCI) regulated information is passed across your Payment Services.
Commerce security
Adobe Commerce and Magento Open Source include support for several security features.
See Security in the core user guide to review security best practices, and learn how to manage Admin sessions and credentials, implement CAPTCHA, and manage website restrictions.
PCI compliance
The Payment Card Industry (PCI) established a set of requirements for businesses that accept payment by credit card over the Internet. In addition to maintaining a secure environment, merchants who handle customer credit card information are responsible for meeting some standard guidelines.
See PCI Compliance Guidelines for more information.
Merchants can complete a self-assessment questionnaire (SAQ), which is a self-validation tool to assess security for cardholder data.
Credit Card Fields
With Credit Card Fields, no PCI-regulated data is passed across your services. You don’t have to store or maintain that data, which vastly reduces PCI compliance concerns.
3DS
PCI 3-D Secure (3DS) enables buyer authentication with their credit card issuer when making online credit card purchases. This additional layer of security helps prevent online fraud and is required as part of European Union (EU) compliance regulations.
Payment Services provides 3DS functionality to enable merchants to comply with EU regulations and to protect customers and merchants from fraudulent activity in their stores.
If you are a merchant within the EU or Britain where 3DS compliance is required, you must manually turn on 3DS (it is Off by default) in Settings.
IMPORTANTOrders placed for the buyer by the merchant/store personnel are not configured with 3DS compliance measures.
Card vaulting
When a shopper vaults—or “saves”—their credit card information for future purchases in your stores, minimal credit card information is shared with the shopper (last four digits, card expiration date, and brand of card). Credit card information is stored with the payment provider. When a card expires, or they no longer need the information saved, they can delete that token so that the information is no longer stored by the payment provider.
See Credit card vaulting for more information.
PayPal payment buttons
With PayPal payment buttons, no PCI-regulated data is passed across your services. You don’t have to store or maintain that data, which vastly reduces PCI compliance concerns.
For security reasons, PayPal does not pass the billing address during checkout—country, email, and name is the only billing information used. You can optionally enable your site’s PayPal checkout to return the complete billing address by contacting PayPal and completing a vetting process.
PayPal also has integrated fraud protection that uses machine learning to help you fight fraud. See PayPal’s Seller Protection documentation for more information.
Fraud protection
You can enable automated fraud protection for Payment Services with the Signifyd extension. See Signifyd fraud protection for more information.
PayPal provides other options for fraud protection in their developer documentation:
- See Fraud protection advanced for more information.
- See Chargeback protection for more information.
