Drupal PCI Compliance White Paper

Visit the official Drupal PCI Compliance website here.

Download

Download the Latest Version in PDF

Alternatively, you can download, clone, or fork the project to get access to the markdown and HTML versions of this report.

Motivation

This was part of the original proposal for this paper. It has been slightly modified to correct for things like tense, updated statistics, etc.

Drupal.org reports over 73,000+ active Ubercart and Drupal Commerce installations. With such a large and active portion of our community involved in eCommerce, one would expect an equal amount of effort and resources being applied towards helping these websites achieve the mandatory security standards set forth by the Payment Card Industry (PCI).

Unfortunately, a definitive guide or comprehensive resources simply didn't exist. Instead, there were just a handful of articles, forum threads, and videos; most of these resources were fragmented, outdated, and riddled with inaccurate information. Worse yet, Google was reporting that there were only 100-200 keyword searches a month for “Drupal PCI compliance” and other variations. This was extremely low considering that PCI compliance typically takes months of time and resources to both research and implement.

Failing to become PCI compliant exposes businesses to legal and financial liabilities. It can also exposes Drupal to PR issues, where a breach in security can easily lead to “Drupal is insecure” thinking. This should be a huge concern for the Drupal community as a whole, which prides itself in having a strong focus on security as well as one of the world’s most secure open source CMSs.

The goal of this document is to help address the issues listed above and help everyone in the community with an eCommerce website understand and fulfill their PCI compliance obligations.

Why we chose github flavored markdown for the source document.

We wanted to make this document available in as many formats as possible to accomodate every possible audience and use case. Drupal modules may wish to include the github repo, markdown file, and/or html output for ease of use within a Drupal installation. Drupal evaluators may want a print copy that can be read our handed out.

By starting with github flavored markdown, we can easily convert this document into HTML and PDF as needed. Also, markdown makes it easier to manage changes as this document evolves because issues can be filed on github and the git repo can store a full history of all the changes.

Errata

If you have discovered an error, have a suggestion, and/or want to provide constructive feedback on how to make this document better, please file an issue on the github project page.