Payment Security in PrestaShop: PCI Compliance, 3D Secure and Fraud Prevention

Payment security is not optional — it is a legal obligation and a business necessity. A single data breach can result in fines, chargebacks, and permanent loss of customer trust. The good news is that modern payment solutions handle most of the heavy lifting, but store owners still need to understand the landscape.

PCI DSS: What It Means for You

The Payment Card Industry Data Security Standard (PCI DSS) applies to every business that processes, stores, or transmits credit card data. There are four compliance levels based on transaction volume, but the requirements apply to everyone.

The Simplest Path to Compliance

The easiest way to minimize your PCI scope is to never touch card data. Use a payment gateway with hosted payment fields or redirect checkout:

• Stripe Elements / Checkout — card data is entered in an iframe hosted by Stripe. Your server never sees the card number.
• PayPal — redirects to PayPal for payment. Zero card data on your server.
• Mollie — hosted payment page for all supported methods.
• Adyen Drop-in — embedded component that handles card data client-side.

With hosted payment fields, you only need to complete SAQ A (the simplest self-assessment questionnaire) — about 20 yes/no questions instead of the full 300+ item SAQ D.

3D Secure 2.0

3D Secure (3DS) adds an authentication step to online card payments. Version 2.0 (3DS2) is a major improvement over the original:

• Frictionless flow — most transactions are authenticated silently using device fingerprinting and risk analysis. No popup or redirect needed.
• Challenge flow — high-risk transactions still show an authentication screen (SMS code, biometric, app approval)
• Liability shift — when 3DS is used, chargeback liability shifts from the merchant to the card issuer
• SCA compliance — 3DS2 satisfies the EU's Strong Customer Authentication (SCA) requirement under PSD2

Most modern payment modules for PrestaShop support 3DS2 out of the box. Ensure your module is updated to the latest version.

Fraud Prevention Measures

Address Verification (AVS)

AVS checks the billing address provided by the customer against the address on file with the card issuer. Enable it in your payment gateway settings — it catches a significant portion of fraudulent transactions.

Velocity Checks

Monitor for suspicious patterns:

• Multiple failed payment attempts from the same IP
• Several orders to different addresses using the same card
• Unusually large orders from new customers
• Orders where billing and shipping countries differ

Device Fingerprinting

Services like Signifyd, Riskified, or your payment gateway's built-in fraud tools analyze the customer's device characteristics to assess risk. This catches fraudsters using stolen card data more effectively than address checks alone.

PrestaShop-Specific Security

• Keep PrestaShop updated — security patches are released regularly
• SSL/TLS everywhere — enforce HTTPS on all pages, not just checkout
• Admin security — rename the admin directory, use strong passwords, enable two-factor authentication
• File permissions — set correct permissions (644 for files, 755 for directories, no 777 anywhere)
• Module vetting — only install modules from the official marketplace or trusted developers. Malicious modules are the most common attack vector.

Incident Response

Despite all precautions, have a plan for when something goes wrong:

1. How will you detect a breach? (monitoring, alerts, customer reports)
2. Who do you contact? (payment processor, hosting provider, legal counsel)
3. How do you communicate with affected customers?
4. What is your evidence preservation process?

Payment security is an ongoing process, not a one-time setup. Review your security posture quarterly, keep all software updated, and treat every piece of customer financial data as if your business depends on it — because it does.