Drupal & PCI Compliance

Drupal & PCI Compliance

It's possible that transactions completed over Drupal, while secure, may be lacking in PCI compliance. The popular modules for Drupal e-commerce - Drupal Commerce and Ubercart - are simply not compliant out-of-the-box. As the number of installations continues to grow, important questions arise as to how to address this lingering concern.

What is PCI Compliance?

Payment Card Industry compliance is a worldwide information security standard. The term includes 12 specific requirements which cover 6 different goals. The name is slightly misleading, being it has more to do with security than compliance – including protecting cardholder data and monitoring networks.

Although Ubercart and Drupal Commerce both encrypt data to the best of their ability, they are still susceptible to user error during initial setup and maintenance.

Why is it important to Drupal?

The proliferation of Drupal as a top business solution is undeniable. Across the top ten website industry distributions, Drupal powers 22% of businesses in the top 100,000 websites.

Usage of both Drupal Commerce and Ubercart has skyrocketed. When goods and services are being exchanged rapidly and securely, everyone is pleased. On the other hand, any breach in this system invites heavy and dangerous consequences.

Compromising Payment Data

If customer data is exposed and/or stolen due to a lack of encryption, the circumstances change. PCI compliance is becoming a legitimate concern, as liability lapses on the merchant end can be devastating.

According to Rick Manelius, who has been active in the movement toward PCI compliance for Drupal, fines for security breaches can reach the “6-7 figure range”. To boot, failure to protect consumer information can really stunt business growth and permanently taint consumer trust. The result is a PR nightmare that will take months, if not years, to untangle; all the while, precious time and resources are being allocated for audits.

Proposed Solutions

Clearly, PCI compliance is an important consideration as we move towards a new era of Drupal e-commerce solutions. A few solutions do exist, with mainstream usage being spotty at best. The intention is to raise awareness with regard to PCI compliance and how it relates to Drupal e-commerce:

Redirection to External Payment site: A method in practice for some sites, this process allows external websites to handle payment data. In this case, site owners can wash their hands of liability, while a Paypal or Authorize.net will handle the rest. Still, redirection's downside is that it causes a disruption in upsell & cross-sell opportunities by removing the visitor from the website. For third-parties, it similarly presents a difficult proposition to clients aiming to keep visitors on-site throughout the transaction.

Another issue is the environment upon which the shared hosting lives. Other considerations in the mix include Drupal security being up to date, HTTPS enabled and SSL certificates installed.

Tokenized Payment Gateways: By taking this route, credit card data is filtered through a javascript API. Once a user submits their card data, it is validated and a one-time token is returned to the user’s browser. The only element touching the site server is a token representing the user’s card information, arriving at the payment gateway again, and leading to transaction success without the user leaving the site.

Demand from clients for PCI compliant solutions will certainly make or break the adoption of Drupal for this sector. Add it to the list of growing pains in the online shopping and e-commerce trend, including the recent passing of online sales tax from the U.S. Senate.

PCI compliance for Drupal will only grow as large companies enter the Drupal e-commerce marketplace. Likewise, service providers should expect clients to question Drupal compliance with PCI standards, and be able to provide detailed answers. New versions of PCI standards are slated to be released within a year, creating a vivid framework for the context of securing payments.

The Drupal community is collaboratively working towards definitive PCI compliance resources, additions, and methodologies. As Drupal for enterprise usage increases, alongside Drupal 8 development, it is likely that Drupal will rise to the occasion.