Version 3.0 of the PCI compliance standard becomes mandatory on January 1st, 2015 and will be a complete game changer for most Drupal eCommerce sites.Are you ready to meet the challenge?
For those wanting to dive right in, simply click this link to download the white paper.
Matt Kleve was spot on in his DrupalCon Denver 2013 presentation title PCI: a Four-Letter Word of eCommerce. Whenever I present on or discuss the subject matter with other members of the community, there is usually some level of disdain for the payment card industry (PCI) for creating the data security standard (DSS) that we all commonly know as PCI compliance. The complaints are many:
- It's too confusing.
- It's too difficult.
- It's too expensive to deal with.
- It's security theater.
- It doesn't guarantee you'll never get hacked.
Once everyone has finished airing their grievances, there is always the unspoken question that you can see on everyone's face… Can't we just ignore this little nuisance of a requirement and get back to processing credit card transactions?
The reality is that we cannot pretend PCI compliance doesn't exist. The growth of the eCommerce market can only continue as long as users trust the process, and that can only happen if the end-to-end process remains secure. Oh—and any merchant agreement you sign will stipulate PCI compliance as a requirement (make sure to read all that fine print!). Therefore, if you want to accept credit or debit cards payments online (even through 3rd party) then you really have no other choice. Compliance is mandatory.
That's the bad news. The good news is that understanding where and how to get started for a Drupal site is much easier as a result of the Drupal PCI Compliance White Paper that was initially published a year ago (and a HUGE thanks to the many sponsors that helped make that happen). It's readable within an hour and can help everyone involved on a Drupal project make informed decisions and reduce their risk as much as possible.
The Standard Gets Stronger
As the volume of eCommerce transactions continues to grows, it becomes even more important to protect every component in the entire system handling the transaction. After all, a single point of failure was responsible for Target debacle, where the credit card records of 40+ million customers were compromised. This resulted in a huge financial loss for the company as well as a PR nightmare to deal with.
To minimize these types of attacks from growing in size and frequency, the security standard must keep up. The latest update to the PCC-DSS (version 3.0) was published in November, 2013 and will become mandatory of all eCommerce sites on January 1st, 2015.
What PCI-DSS 3.0 Means for Drupal
It's hard to understate the impact this will have on the Drupal community. In version 1.0 of the standard, there was a there was a very easy way out. Simply redirect the user to a hosted payment page on PayPal or Authorize.Net and you could outsource almost all of your responsibilities. This became the goto solution for many budget conscious eCommerce websites.
Version 2.0 of the standard introduced a gray area. The PCI council created a supplemental guide that stated the hosted payment pages, direct post, and iframe solutions all had vulnerabilities. Despite disclosing these attack vectors, the PCI council didn't directly come out and state that they must now meet a larger set of security controls. This didn't stop certain vendors (notably Braintree) from promising compliance within 15 minutes. The dilemma for someone interpreting version 2.0 of the standard was obvious: if there were ways to break in and steal cards, wouldn't that require one to fully lock down the LAMP stack and Drupal application layer? This gray area only led to additional confusion among the Drupal community, who (as a whole) simply opted for the easy route interpretation of the standard.
Version 3.0 ended the confusion entirely. Now hosted payment pages and direct post solutions fall into a new category (SAQ A-EP), which includes over 139 security controls that cover everything from anti-virus to password policy requirements. What used to be trivial (SAQ A) for most websites to achieve has become very challenging. No longer are shared hosting solutions viable. No longer can a website lag behind on updating Drupal core and contrib modules when security updates are available. No longer is it acceptable to enable php filter, allow authenticated users to use the full HTML filter, or manage a site through a shared FTP login.
In short, this is a big damn deal for the Drupal eCommerce community. Without readily available "turnkey" solutions (such as PCI Level 1 managed hosting), many smaller eCommerce sites may not be able to meet the requirements and may be forced to seek non-Drupal based alternatives. In fact, the cost of achieving and maintaining SAQ A-EP could easily fall within the $10,000-$100,000 price range, which is likely to exceed the entire budget of most Drupal eCommerce sites!
Covering all the ins and outs of PCI compliance is difficult to do in a single blog post (trust me, I tried with the excessively long article titled Let's Talk About PCI Compliance for Ubercart and Drupal Commerce. Therefore, I'll close with this final recommendation (or plea): if you build, maintain, operate, or own an eCommerce website, then you should absolutely read the new version of the Drupal PCI Compliance White Paper. And if you have any comments, questions, or concerns, please submit an issue in the github issue queue.