I'm trying to setup an ecommerce site for a client and PCI compliance has come up. I'm having a hard time finding specific examples online...
Lets say that I am running a magento store for a small non-profit (<5000 xactions/yr) on a standard bluehost account w ssl. I use authorize.net as a payment-gateway.
I do not believe that magento stores credit card numbers in its database. Therefore, when a user submits an order, it passes through SSL to bluehost's servers, where it is processed by authorize.net, then is forgotten.
Bluehost supports PCI A and B compliance on all systems... http://helpdesk.bluehost.com/index.php/kb/article/000512
Do I have any PCI concerns?
If so - any suggestions on what I can change? Different hosting service.
Thanks!
(PS I know that redirecting the user to paypal would solve everything, but nobody wants that)
If you are using the existing authnet extension, you are correct that Magento does not save the CC number (not even in the session). Obviously you should have someone do a PCI compliance review if this is a significant issue.