Table of Content

Magento Payments Security - Protect Customer Data From Hacks and Avoid Fines

Magento Payments Security

Each year, the e-commerce industry grows in revenue. In 2015, . Three years later, by the end of 2018, the global online sales revenue is approaching an impressive $2.842 trillion dollars, an almost x2 increase.

magento security in payments - ecommerce revenue 2018 2019

With the rising profits, e-commerce websites become popular targets of hacker attacks. And when cybercriminals from all over the world want a slice of your pie, you know you are in trouble.

Table of Content

The Dangers of Online Transactions Inside Magento

Online stores process payments without the presence of a credit card. This fact alone for people who would like to take advantage of this online.

Hackers Use Stolen Payment Details to Buy Your Goods

Can you guess which online businesses are most vulnerable to fraudulent payment?Charities.

Hackers use them as a risk-free way to test whether the card they have can be charged or returns an error.

Online charities are at the greatest risk because they rarely challenge payments or have specialists on staff who can detect suspicious payments and decline them.

But if you are not a charity, it doesn’t mean you are safe. Small Magento stores are good targets for these fraud attempts. Hackers use them for the same reasons as a non-profit organization.

But this time they will actually buy from an unsuspecting store online. And fraud repercussions will hit you days later – usually when the goods are already shipped and there’s nothing you can do.

This type of attack leaves the store owner both without the product and without the money.

Hackers Use Your Security Holes to Steal Customer Payment Details

Depending on where you get your data from, Magento owns of the e-commerce market. This makes Magento an but at the same time places Magento stores as a prime target for hacking attempts.//twitter.com/magento/status/903296250157703168Hackers will try to use every possibility to breach your security and infect the website (see this post on ). From the inside, they will attempt to steal your customers’ CC details.

Cardholder data breach will make you liable for damages. It’s not unheard of for online merchants to receive notice from Stripe and other payment processors with compensation requirements for a proven data breach.

Merchants Get Fines for СС Data Breach

magento security in payments harmful site ahead

You probably already know that Google warns users about compromised websites. Most browsers such as Google Chrome and Firefox will block users from visiting hacked websites which leads to lost sales.

But leaked CC data can lead to even more problems. For example, merchant accounts that have exceeded their fraud/chargeback monitoring program thresholds. In addition, the payment processor will apply fines to merchants who violated their security guidelines.

Based on our experience, payment processors will fine merchants depending on the damage done. A $3,000 dollar fine for 100 compromised cards will be dwarfed before a $100,000 fine for thousands of leaked CCs. Scaling fines are extremely dangerous for the business since there is no cap to how high they can get. While we are NDA-bound not to disclose any customer-sensitive data, we can say that some of our customers came to us with data breach issues that caused them hundreds of thousands of dollars in damage.

Our team helped run Magento security check (and regular as well), audit and close security holes in a lot of Magento stores, but the damage was already done. Being able to defend yourself from hacking attempts is more cost-effective than dealing with the aftermath, so make sure you read the Magento security tips below. However, in order to understand what exactly is the challenge here, we need to talk about PCI compliance.

What You Need to Know About Payment Security Standards

is the industry standard for receiving online payments in e-commerce. PCI DSS stands for Payment Card Industry Data Security Standard. This standard is applied to all online stores that handle buyer payments using CCs.Visa and MasterCard together with a few other global payment processors developed the standard to put an end to data leaks. PCI is a de-facto best practice in how e-commerce websites should process and store cardholder data – although not all payment processors use it today.

Non-PCI compliant payment methods can become a huge problem if they get hacked and you lose customer payment details because of this.

Leaked payment credentials can be used for fraudulent payments on other websites or on your own website. And both Visa and MasterCard have mechanisms in place to detect which website is leaking data since they collect and analyze fraudulent payment statistics.

How to Damage Control a Payment Data Compromise

Here are the necessary steps if you suspect or have a confirmed payment security breach:

  1. Separate your payment processing point from the rest of the website. Move your credit card processor to a stand-alone server in order to contain the threat.
  2. Close off ports that offer remote access to your processing system.
  3. Once you separate these critical services from one another it’s time to change all passwords.
  4. If you can, turn on two-factor authentication wherever possible – FTP, Remote Access, etc.
  5. Review your firewall policy to make sure all vulnerability vectors are closed off
  6. Do an internal audit of your install and try to find out what exactly happened. Reinstall Magento and its extensions to eliminate the possibility of hacked contents still on your server or use software to detect malicious changes in system files and remove them
  7. If you are absolutely positive the data leak happened, inform both the payment processor. Follow their instructions to mitigate damage
  8. Take responsibility and reach out to your customers to warn them about the incident

For a more in-depth look at the security steps, read .

Move Toward a PCI Compliant Magento Checkout

Speaking of PCI-compliant on-site payment methods, there are just not a whole lot around. Creating a proper PCI-compliant experience requires you to pass a compliance audit from a certified provider.

So in contrast to how this term gets tossed around, most of the time the systems that offer Checkout without taking the user outside of the website are not PCI compliant (unless they use an <iframe>).

Accepting CC and billing information on your own checkout page is always a compromise between convenience and security.

Default Magento has only one built-in PCI-compliant onsite payment method – Enterprise Payment Bridge. When you install additional non-compliant payment methods, you potentially expose yourself and your customers to a data breach risk.

magento security in payments magento security bridge

There are a lot of third-party PCI-compliant services that take you off-site during the payment. These are all secure and fine to use.So here’s a comparison table of one of the most popular payment solutions on the market:

PCI CompliantNon-PCI Compliant (unsafe!)
Magento Secure Payment BridgeAuthorize.net
PayPal Express CheckoutAuthorize.net Direct Post
SagePayPayPal Payment Gateway
OgonePayPal All-In-One
BraintreeSaved CC
Google Checkout 
Amazon Payment 
WePay 
2CheckOut 
Stripe Payment Gateway 

Choose your payment service with care. When in doubt – check twice or ask your payment processor directly.

Mitigate Common Attack Methods on Magento StoresLet’s take a brief look at the most popular ways your Magento store can become compromised. When an attacker studies the website, they are searching for the easiest way in. It’s always different but there are a few common vectors:

Vulnerability TypeHow to Mitigate
MySQL Injections. This is a huge one. Poorly configured MySQL and PHP are vulnerable to malicious code injections.Improperly screened MySQL input areas allow the attacker to delete, read, write, and change data in your databases.If you use your database to store payment details, your customers’ CC info will also be stolen. Injected codePatch Magento to the latest version to close off known exploits and bugs. Create and maintain backups to prevent data loss.
Check if you have the latest Magento security patches or use a third-party tool to get .Test third-party extensions for popular injections since these extensions are often less secure and offer an easy way in for any hacker (here's a fun further reading - ). is one of the most popular tools that help you find vulnerabilities semi-automatically.
Non-PCI compliant payment processors. Saved CC is your worst enemy here but other less secure payment processors can also get you in trouble.Some of them claim to be PCI compliant. Your responsibility is to check whether their claim is true.Review and change payment processors. Leave only those who are 100% PCI compliant.
Merging payment server with your Magento installThis is the same as keeping all your eggs in the same basket. One wrong move and you get a really bad mess on your hands.Keeping your payments close to your Magento install is a big no-no.
Use a secure third-party service or more your payments to a separate server.
Known holes in outdated Magento installs.Everyone has the access to Magento bug tracker. It’s open source after all. They can see every bug, every security hole that gets published.Upgrade to the newest Magento version as soon as you can. Make it a strong commitment to install Magento security patches and upgrade to the most recent versions at the nearest opportunity.
Hackers rely on your negligence. Don’t make their work easier.
Security vulnerabilities in third-party extensions. Magento Marketplace alone 2,564 extensions for Magento 2 and 1,868 for Magento 1.This statistics does not include any extensions that you can buy from third-party developers outside the Marketplace.Third-party plugins from MySQL injections and other exploits.
Be vigilant about what you install on your website. Try to limit your extensions to only those you absolutely can’t live without.
Make sure you update existing extensions to the latest version.
XSS vulnerabilities. Both client-side and server-side, these security holes put at risk both your store and your customers’ data.XSS vulnerabilities are often found in third-party extensions when developers don’t meticulously test againt hacking attacks. will eliminate the risk of XSS attacks from native Magento vulnerabilities. However, third-party extensions are harder to secure.
The best way to eliminate third-party extensions as the weak spot for XSS attacks is to test them yourself. This is of course not an optimal solution when you have dozens of them on your website.
So it would be a good idea to keep your extensions to a minimum. Fewer extensions will also mean faster website, better stability and reliability of your Magento store.
Human error and social engineering. Simple passwords, excessive permissions for minor roles, unnecessary users in the system, – all this contributes to a huge security risk.
  • Restrict all roles to the strictly need-to-know basis
  • Use complex passwords and don’t post or store them in plain text anywhere
  • Remove Admin Panel access from users who don’t need it
  • Create a whitelist of IPs that are allowed to log in into Magento Admin Panel
  • Disable account APIs of Magento admins who have been inactive for a while

Protect Your Magento Store From Payment Data Leaks

Keeping your Magento store safe is an ongoing effort. Switching to PCI compliant payment processors is the most important step towards a safe store. In terms of priorities, it’s vital that you secure your customers’ data first to avoid both PR damages and financial repercussions.

Both MasterCard and Visa have in place fraud- and chargeback monitoring programs that apply fines to merchants who surpass a certain % of “bad” transactions. In addition, merchants are liable to fines if customers’ payment data gets leaked because of their fault.

And we can help you with that. Our team audited and secured multiple Magento stores that had issues with payment data leaks which resulted in fines from payment processors. Onilab closed off possible attack vectors and made these stores more secure and robust against future hacking attempts. Get in touch with Onilab and our Magento security experts will run a Magento security scan to identify possible issues with your online store.

Related Articles

PayPal Blocks Merchant Accounts Due to Magento Carding Vulnerability
Alex Husar
Alex Husar, Onilab CTO

PayPal Blocks Merchant Accounts Due to Magento Carding Vulnerability

7 min
Apr 9, 2019
Magento 2 Security Guide: An Actionable Checklist (Updated for 2024)
Alex Husar
Alex Husar, Onilab CTO

Magento 2 Security Guide: An Actionable Checklist (Updated for 2024)

13 min
Feb 18, 2019
Magento Hosting Guide: Choosing the Best Provider in 2024
Alex Husar
Alex Husar, Onilab CTO

Magento Hosting Guide: Choosing the Best Provider in 2024

14 min
Jan 14, 2019

Let’s stay in touch

Subscribe to our newsletter to receive the latest news and updates.