Documentation Commerce Payment Services Guide

Security and Compliance

Last update: Mon Feb 24 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

Admin
Leader
User

Security is of the utmost concern in Payment Services and no private or Payment Card Industry (PCI) regulated information is passed across your Payment Services.

Commerce security

Adobe Commerce and Magento Open Source include support for several security features.

See Security in the core user guide to review security best practices, and learn how to manage Admin sessions and credentials, implement CAPTCHA, and manage website restrictions.

PCI compliance

The Payment Card Industry (PCI) established a set of requirements for businesses that accept payment by credit card over the Internet. In addition to maintaining a secure environment, merchants who handle customer credit card information are responsible for meeting some standard guidelines.

See PCI Compliance Guidelines for more information.

Merchants can complete a self-assessment questionnaire (SAQ), which is a self-validation tool to assess security for cardholder data.

Credit Card Fields

With Credit Card Fields, no PCI-regulated data is passed across your services. You don’t have to store or maintain that data, which vastly reduces PCI compliance concerns.

3DS

PCI 3-D Secure (3DS) enables buyer authentication with their credit card issuer when making online credit card purchases. This additional layer of security helps prevent online fraud and is required as part of European Union (EU) compliance regulations.

Payment Services provides 3DS functionality to enable merchants to comply with EU regulations and to protect customers and merchants from fraudulent activity in their stores.

If you are a merchant within the EU or Britain where 3DS compliance is required, you must manually turn on 3DS (it is Off by default) in Settings.

IMPORTANT

The 3DS requirement applies to transactions where the business and cardholder’s bank are located in the European Economic Area (EEA) and Britain. United States merchants do not require 3DS, but can enable it for their transactions if desired.

Orders placed for the buyer by the merchant/store personnel are not configured with 3DS compliance measures.

Card vaulting

When a shopper vaults—or “saves”—their credit card information for future purchases in your stores, minimal credit card information is shared with the shopper (last four digits, card expiration date, and brand of card). Credit card information is stored with the payment provider. When a card expires, or they no longer need the information saved, they can delete that token so that the information is no longer stored by the payment provider.

See Credit card vaulting for more information.

PayPal payment buttons

With PayPal payment buttons, no PCI-regulated data is passed across your services. You don’t have to store or maintain that data, which vastly reduces PCI compliance concerns.

For security reasons, PayPal does not pass the billing address during checkout—country, email, and name is the only billing information used. You can optionally enable your site’s PayPal checkout to return the complete billing address by contacting PayPal and completing a vetting process.

PayPal also has integrated fraud protection that uses machine learning to help you fight fraud. See PayPal’s Seller Protection documentation for more information.

Fraud protection

You can enable automated fraud protection for Payment Services with the Signifyd extension. See Signifyd fraud protection for more information.

PayPal provides other options for fraud protection in their developer documentation:

See Fraud protection advanced for more information.
See Chargeback protection for more information.

recommendation-more-help

00b8a45a-5862-4817-8e1e-074170ebb953