├── DrupalPCICompliance.html ├── DrupalPCICompliance.md ├── DrupalPCICompliance.pdf ├── LICENSE.txt ├── README.md └── images ├── figures ├── PCI-levels-visa-cardbrand-2013-06-10.png ├── PCI-saq-breakdown.png └── PCI-typical-costs-per-saq-type.png ├── graphics ├── druplicon-credit-card.png └── druplicon-credit-card.psd └── sponsors ├── logo-appliedtrust.png ├── logo-card.png ├── logo-commerce-guys.png ├── logo-copperly.png ├── logo-crossfunctional.png ├── logo-hosted-pci.png ├── logo-newmedia.png └── logo-townsend-security.png /DrupalPCICompliance.html: -------------------------------------------------------------------------------- 1 | 3 | 4 | 5 | 6 | 7 | Drupal PCI Compliance White Paper 8 | 9 | 10 | 11 | 12 | 13 | 14 |

Drupal PCI Compliance White Paper

15 | 16 |

Authors:

17 | 18 |

Rick Manelius
Greg Knaddison
Ned McClain

23 | 24 |

v1.2

25 | 26 |

August 25th, 2014

27 | 28 |

Updated to PCI-DSS 3.0

29 | 30 |

Introduction

31 | 32 |

This document provides a high level overview regarding Payment Card Industry Data Security Standard (PCI DSS) compliance specifically for Drupal eCommerce solutions. The intended audiences include: Drupal developers; companies providing Drupal products, services, and hosting; and businesses evaluating Drupal as part of their eCommerce solution. Goals of this document: to emphasize the importance of PCI compliance; to summarize the options available in becoming and maintaining compliance; to provide clear next steps and additional resources.

33 | 34 |

Executive Summary

35 | 36 |

eCommerce volume continues to grow by double digit percentages each year¹ as more and more businesses are supplementing their existing revenue models and/or creating new streams ^2,3. Simultaneously, Drupal has seen a 21% rise in the number of reported eCommerce installations in 2013 across its very large installation base ⁴.

37 | 38 |

Drupal is an attractive eCommerce platform for many reasons: Its Open Source licensing eliminates one time and recurring costs to own and use, it is extremely modular and flexible, and it has a large, passionate, and world wide community that is continually contributing to and growing the platform. The Drupal community also makes a concerted effort when it comes to ensuring the platform is secure. There is a security team, weekly security advisories, venues to discuss security best practices, a collection of tools to help detect security vulnerabilities, and many other security focused strengths. The result is that Drupal is one of the most secure content management and eCommerce solutions available to merchants today.

39 | 40 |

However, while it is possible to make a Drupal-based eCommerce environment PCI DSS compliant through proper planning, usage, maintenance, and management, the mere use of Drupal by itself IS NOT sufficient to ensure the level of security necessary to become compliant. First, it’s possible to make Drupal insecure through the use of inappropriate configurations and site mismanagement. Second, Drupal is only a single component of the cardholder data environment (CDE). Hosting servers, networks, and other factors play a significant role in securing the entire end-to-end process.

41 | 42 |

How and where the credit card data is processed, transmitted, and stored determines the size, complexity, and risk associated with the cardholder data environment, which directly impacts the time, resources, and expertise required to achieve and maintain compliance. Whenever possible, wholly-outsourced and shared-management implementations can make it easier to complete this process. Merchant-managed solutions are the most cost prohibitive for all but enterprise level companies, and should be avoided unless the business needs require them.

43 | 44 |

Regardless of the selected approach, it’s always necessary to adhere to the complete PCI DSS standard because a single exploit can undermine a company's PCI compliance, opening the company up to the financial and legal liabilities associated if the exploit where to be breached. Finally, the standard is becoming more stringent with each new version; therefore, what is optional today is likely to become a requirement in the near future.

45 | 46 |

Definitions

47 | 48 |

The following terms are used extensively throughout this document and are provided here for convenience.

49 | 50 |

ASV: Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services.
Cardholder Data: At a minimum, cardholder data consists of the full PAN (primary account number). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code
CDE: Acronym for “cardholder data environment.” The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components.
Credit Cards: The term "credit cards" is used in this paper for brevity, but the advice also applies to any debit or prepaid "payment cards."
DSS: Acronym for “Data Security Standard” and also referred to as “PCI DSS.”
QSA: Acronym for “Qualified Security Assessor,” company approved by the PCI SSC to conduct PCI DSS on-site assessments.
Payment Cards: For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC (i.e. Visa, Mastercard).
PCI: Acronym for “Payment Card Industry.”
ROC: Acronym for “Report on Compliance,” which contains details documenting an entity’s compliance status with the PCI DSS.
SAQ: Acronym for “Self-Assessment Questionnaire,” a checklist that you must complete and adhere to in order to obtain and maintain PCI compliance.
SSC: Acronym for “Security Standards Council,” it is the governing organization and open forum responsible for the development, management, education, and awareness of PCI Security Standards.

63 | 64 |

A full list of definitions can be found in the PCI document titled Glossary of Terms, Abbreviations, and Acronyms ⁵.

65 | 66 |

Why Does PCI Compliance Matter for Drupal?

67 | 68 |

PCI compliance is important for the industry as a whole as well as companies specifically using Drupal as part of their eCommerce solution. Here are several key areas to underscore the recommendation and requirement to adhere to PCI compliance.

69 | 70 |

Trust

71 | 72 |

Online credit card transactions have become so common and accepted in our society that it's easy to forget what is at stake. When a thief goes after physical credit cards the amount of financial loss to a financial institution or merchant is limited in size and quantity because each card has to be stolen one at a time. However in the case of electronic payments, a single computer hacker can potentially breach multiple websites with the same exploit and steal hundreds, thousands, or even millions of credit cards. The financial loss by a financial institution and the number of people affected in a website compromise can be staggering.

73 | 74 |

While these scenarios do in fact happen, their frequency is far outweighed by the volume of transactions that are handled securely. This is in part because of the set of security standards set forth by the Payment Card Industry. When properly applied, the risk level for transactions goes down significantly, which leads to more consumer trust in merchants, the process, and the industry as a whole can continue to expand. However, if this trust is broken, consumers will lose this confidence and seek other merchants and means of payment.

75 | 76 |

Privilege

77 | 78 |

A merchant's ability to accept credit card payments is a privilege, not a right. The Payment Card Industry has established a system of payment that is convenient for consumers and business owners. It is their system and they get to set the requirements. Anyone accepting online payments must sign a contract and/or accept a terms of use agreement that explicitly states the merchants responsibility to adhere to these requirements (unfortunately this isn't always emphasized in the sign up process, so be sure to read through the fine print). If a merchant fails to adhere to these requirements their ability to accept credit cards as a form of payment can be suspended.

79 | 80 |

Distributed Components

81 | 82 |

Every component between a customer’s browser window and the payment processor makes up the Cardholder Data Environment (CDE). If one only focuses on securing a single component, the weakest link in the chain can be the source of an exploit. Therefore it’s not enough to simply secure Drupal. The PCI standard provides guidance on how to make sure all components are secured.

83 | 84 |

Author's Note: It's important to note that ALL systems connected to the same network that's behind the same stateful firewall as the eCommerce server are also considered part of the CDE. Therefore, a common strategy is to segment the network such that only the eCommerce relevant components are together in a carefully protected network, thus reducing the overall scope for PCI DSS compliance.

85 | 86 |

Distributed Companies

87 | 88 |

It’s not common for one company to control the entire end-to-end process of handling a credit card transaction. Therefore, it’s important to know exactly how these companies distribute the responsibility as well as liability for ensuring this process is secure.

89 | 90 |

Financial

91 | 92 |

If you ever face a security breach and credit card information is stolen, having a proven record of your PCI compliance can protect you from the financial penalties (ranging from $25 to $215 per compromised card⁶). Major corporations, such as Heartland Payment Systems, have faced fines as large as $12.5 million⁷. In addition to fines, your organization and brand can suffer financially due to a breach. Target Brands, Inc. attributed a portion of its 5.3% loss in sales and a 46% drop in profit during the 4th quarter of 2013 to its security breach in November of that year, which resulted in 40 million compromised credit card records⁸. Small companies are equally at risk, accounting for 80% of all instances of unauthorized access⁹. And while a smaller company might have a low quantity of transactions (and therefore a smaller fine), any company that has a reported breach on their record must undergo mandatory Report On Compliance audits, which alone can cost tens of thousands of dollars.

93 | 94 |

Public Relations

95 | 96 |

Beyond the financial burden of dealing with a breach, the loss of trust for a company's website, business, and brand can be staggering. The Sony PlayStation breach put more than 77 million credit card numbers at risk ¹⁰. The ramifications of alerting a user base and requiring that many users to change their cards and/or put a freeze on their credit cards can quickly lose current and future customers. These transactions can also impact customer credit scores if they unknowingly overdraft or miss a payment they were not expecting.

97 | 98 |

Summary

99 | 100 |

While developers and businesses may see this standard as a nuisance, it’s important to realize that these standards allow the industry as a whole to provide the level of security and trust necessary to keep it growing. The PCI DSS should be considered a baseline, minimal level of security for sites handling sensitive information - your site very well may need security controls that exceed this standard. Also adhering to the standards helps ensure protection for the business (legal, PR, and financial), as well as your customers (legal, financial).

101 | 102 |

The Standard Itself

103 | 104 |

Note: This paper specifically excludes PA-DSS because Drupal is Open Source Software and (whether right or wrong) falls outside the PA-DSS standard.

105 | 106 |

The PCI-DSS standard covers 12 requirements across 5 overarching categories¹¹. Rather than restate what is already provided in the materials from the PCI council, the focus here is to specifically identify why each requirement directly affects the security of Drupal within the context of a complete CDE.

107 | 108 |

Requirement 1. Install and Maintain a Firewall

109 | 110 |

The integrity of a Drupal code base can only be maintained if access to the server is restricted and protected by a stateful firewall. A lax or nonexistent firewall policy provides more ways for an attacker to find a vulnerability, gain access to the server, and modify the code on the system, which opens the door for harvesting credit card numbers.

111 | 112 |

Requirement 2. Do Not Use Vendor Supplied Default Passwords

113 | 114 |

This should be obvious, but any component of your system that has a known default password can be vulnerable if it’s not reset immediately. A Drupal specific example is the Commerce Kickstart installation profile. By default, it sets the main administrator username and password to “admin.” This should only be used for testing/evaluation purposes and should never be used for a live site.

115 | 116 |

Requirement 3. Protect Stored Data

117 | 118 |

Ideally credit cards are not being stored on a Drupal website at all. If they are stored, they must be encrypted (e.g. using a hardware security module or an encryption key management solution) in such a manner that anything with access to the database, server, or network cannot decode the information in a manner that is not intended. Achieving this is non-trivial and should only be attempted after gaining close familiarity with the PCI SAQ D standard (see the section Self-Assessment Questionnaire for definitions of the SAQ validation types).

119 | 120 |

Requirement 4. Encrypt transmission of cardholder data across open, public networks

121 | 122 |

The data leaving the Drupal application travels through many routers and networks on the way to the payment processor. Unencrypted data would allow any component along that path to copy cardholder data and other sensitive information. Therefore, encryption with a trusted SSL certificate is a requirement.

123 | 124 |

Requirement 5. Use and regularly update anti-virus software or programs

125 | 126 |

If malware is installed on a server running Drupal, it can be difficult or impossible to verify the integrity of the codebase, which opens the door for access to credit card data.

127 | 128 |

Requirement 6. Develop and maintain secure systems and applications

129 | 130 |

It’s simply not enough to “set it and forget it” when it comes to all components of the CDE. A single discovered vulnerability at the network, server, and/or Drupal app layer has the potential for exploitation. Drupal security advisories are posted every Wednesday and should be watched regularly for any updates affecting Drupal core and/or contributed modules a site is using. Likewise, critical operating system and support software (Apache, PHP, MySQL, and other server software.) patches must be applied within 30 days of release.

131 | 132 |

Requirement 7. Restrict access to cardholder data by business need-to-know

133 | 134 |

This requirement impacts not only application design, but also account and server management. For example, the server that houses your eCommerce site should not be used as a place where anyone can connect via FTP using a shared password and upload photos from the company picnic. Any one of those individuals’ machines could be used to gain authorized access to the CDE code base and/or card data itself.

135 | 136 |

Requirement 8. Assign a unique ID to each person with computer access

137 | 138 |

Sharing usernames and passwords leaves less detail for actions occurring for each individual user. It also generally leads to other bad practices, such as creating weak passwords and sharing them over insecure channels like email. Never share your “user 1” or root login information between staff.

139 | 140 |

Requirement 9. Restrict physical access to cardholder data

141 | 142 |

Similar to Requirement 1, access to the server must be protected at all times. If a person without proper clearance can physically access a server, they can potentially gain root/administrator access and compromise the database and Drupal application layer. If you outsource hosting, ensure the provider is PCI DSS compliant.

143 | 144 |

Requirement 10. Track and monitor all access to network resources and cardholder data

145 | 146 |

Audit trails are critical for identifying changes in the system because a single code or configuration alteration can open up a security vulnerability. Having the ability to identify exactly what changed and who changed it is very important for verifying the integrity of a system.

147 | 148 |

Requirement 11. Regularly test security systems and processes

149 | 150 |

It’s not enough to have a system that works in theory. Periodic vulnerability scans and full penetration tests are necessary to prove that the system responds as expected. These tests have to be run regularly (at least quarterly) and are ideally run whenever there is a configuration or code change that could introduce a new vulnerability. Ensure you are using an officially Authorized Scanning Vendor (ASV) as listed on the PCI site¹².

151 | 152 |

Requirement 12. Maintain a policy that addresses information security for all personnel

153 | 154 |

All the hardware testing, security scans, and audits in the world will not help if people are allowed to use insecure passwords or send full credit card numbers via unencrypted channels like email. The human element is often the weakest link in the security chain. A security policy is required to ensure ALL employees know and understand what is acceptable and what is not with respect to maintaining compliance.

155 | 156 |

Self-Assessment Questionnaire

157 | 158 |

Knowing how to get started can seem overwhelming at first. Thankfully, the PCI council has provided detailed reference guides and instructions¹³. All of these materials culminate to your Self-Assessment Questionnaire. This form is essentially a checklist that you must complete and adhere to in order to obtain and maintain PCI compliance.

159 | 160 |

Your credit card processor and acquiring bank are required to ask you for annual SAQ forms - if they haven’t asked yet, they will soon!

161 | 162 |

The key is determining which SAQ you should be filling out because they vary wildly in terms of quantity of responsibilities and the amount of time and effort it takes to complete them. SAQ A has 14 items and usually can be completed in under a day if not within a couple of hours. SAQ D contains between 326 and 347 items and can take months of time and millions of dollars to achieve¹⁴. The following section will help you make sense of these different levels and how you can select the method that balances your business needs with your ability to achieve compliance.

163 | 164 |

Determining Your Responsibilities

165 | 166 |

The quantity and difficulty of your PCI responsibilities are a result of your merchant level (which is based on the volume of transactions) and your validation type (which is based on how you’re conducting transactions).

167 | 168 |

Merchant Level

169 | 170 |

The PCI council has defined 4 levels of transaction volume (Figure 1)

171 | 172 |

173 | 174 |

Figure 1. The 4 levels of transaction volumes for VISA card brand. Other card brands (e.g. MasterCard, American Express.) have different reporting and validation requirements. Image Source http://usa.visa.com/merchants/risk_management/cisp_merchants.html

175 | 176 |

There are a few important points to emphasize for the Visa card brand:

177 | 178 |

Compliance begins at transaction #1.
Even though validation is optional at level 4, compliance is still mandatory.
If a breach occurs and is reported, a company immediately moves to level 1 regardless of its transaction volume.
Level 1 validation involves more stringent auditing process, including a mandated third-party audit, which adds additional time and money to stay compliant.

184 | 185 |

Validation Type

186 | 187 |

The PCI council defines 8 different validation types:

188 | 189 |

190 | 191 |

Figure 2. Breakdown of PCI-DSS version 3.0 SAQ types as a function of merchant activities.

192 | 193 |

For the purposes of a typical Drupal eCommerce site, the SAQ A, A-EP, and D are the most relevant types^{A, B}. It is also extremely important to understand which type the system falls into because there is a large difference in time, effort, risk, and expense in achieving compliance.

194 | 195 |

196 | 197 |

Figure 3. Approximate PCI compliance costs per SAQ type. Factors include audits ($30,000-$100,000), time spent meeting each requirement, and more.

198 | 199 |

For many eCommerce stores, selecting a payment method that places them in type C or D can be cost prohibitive. However, achieving SAQ A or A-EP is not always possible given the available payment gateway options that can satisfy a business's feature requirements, which drives the expansion or reduction of the CDE and ultimately determines the validation type.

200 | 201 |

Drupal Specific Examples

202 | 203 |

The shopping cart selected (Drupal Commerce, Ubercart, Pay, Stripe, etc) and the payment method within that shopping cart (hosted payment page, direct post, iframe, onsite.) are usually the most significant factors in expanding or reducing the CDE, which directly impacts the SAQ type. Here are some situations that may force one into SAQ D:

204 | 205 |

A client that wants complete control over the checkout process may shy away from hosted payment pages, which may be the only viable shared-management option for a particular payment gateway^C.
A client sometimes must use a particular payment gateway because of an existing contract/business relationship, and that gateway may offer no shared-management options.

209 | 210 |

Overview of Payment Methods

211 | 212 |

The PCI council defines 3 types of payment methods: Merchant-managed, Shared-management, and Wholly-outsourced.

213 | 214 |

Merchant-managed

215 | 216 |

A general guideline is that if the company’s servers store, transmit, or handle cardholder data, then it’s merchant managed. An example would be customer submitting a payment directly on a Drupal site using Ubercart connected to Authorize.Net because a customer’s payment information passes through the merchant’s webserver on the way to being sent to Authorize.Net. It does not matter if the merchant is storing the data on their servers, since a hacker could gain access if they were able to compromise the server.

217 | 218 |

Onsite payments posted directly back to Drupal (i.e. an HTTP POST request containing the cardholder data is submitted to the Drupal application, which results in a bootstrap and the passing of the cardholder data through the form API) immediately fall into SAQ D.

219 | 220 |

Merchant-managed examples:

221 | 222 |

Authorize.Net Automated Recurring Billing (ARB)
Authorize.Net Customer Information Manager (CIM)
PayPal Payments Standard (PPS)

227 | 228 |

Shared-management

229 | 230 |

In a shared-management approach, the credit card information never touches the server that is running the Drupal application. This is generally accomplished by one of 3 approaches:

231 | 232 |

Hosted Payment Page (HPP)
Direct Post
Inline Frame (iframe)

237 | 238 |

A HPP approach is where a user is redirected from a Drupal site to a third-party site in order to enter their payment details. If the transaction is successful, the customer is redirected back to the Drupal site with the payment authorization details. Depending on the specific payment gateway's security requirements, these payment authorization details may get sent back to the payment gateway's API to further validate the payment.

239 | 240 |

Example HPP solutions:

241 | 242 |

Authorize.Net Server Integration Method (SIM)
PayPal Payments Standard (PPS)
PayPal Express Checkout (EC)

247 | 248 |

A direct post approach is where the customer remains on the website, but their card data is submitted directly from the customer’s browser to the payment gateway and a response is sent directly back to the customer with a one time authentication code or "token" that is then used by Drupal to immediately communicate with the payment gateway's API to validate the payment. There are two flavors of direct post: setting an HTML form's action attribute to a 3rd party API endpoint or achieving the same with Javascript.

249 | 250 |

Example direct post solutions:

251 | 252 |

Authorize.Net Direct Post Method (DPM)
Braintree Payments
Stripe

257 | 258 |

An iframe approach is where the payment details portion of the checkout form is loaded through an iframe directly from the payment processor. Similar to a direct post strategy, an iframe gives the customer the impression they are always on site while the credit card details are sent directly to the payment gateway.

259 | 260 |

Example iframe solutions:

261 | 262 |

Hosted PCI
Authorize.Net Hosted Customer Information Manager (CIM)
PayPal Payments Advanced (PPA)
PayPal Payflow Link (PFL)

268 | 269 |

The common denominator in all shared-management configurations is that the checkout process begins on Drupal website (a component of the CDE) managed by the merchant, but the customer is technically sending their credit card credentials directly to the payment processor’s CDE. This occurs by redirection (HPP), loading a payment form from their servers (iframe), or posting the form directly through JavaScript or the action attribute on an HTML form (direct post).

270 | 271 |

One might assume that a shared-management approach would qualify them for SAQ A. However, section 3.4.3 in the PCI DSS eCommerce Guidelines Supplement document makes it clear that each shared-management method has vulnerabilities ¹⁵, which are described in more detail below. Furthermore, Understanding the SAQs for PCI DSS v3.0 (in addition to the SAQ A and SAQ A-EP v3.0 forms) specifically states that direct post solutions cannot qualify for SAQ A and must use SAQ A-EP¹⁶.

272 | 273 |

Frustrating as this may be for those wanting to achieve PCI SAQ A, the good news is that using a direct post or hosted payment page solution can still qualify as SAQ A-EP, which is much easier to achieve in comparison to SAQ D because a significant amount of the responsibility can still be considered outsourced.

274 | 275 |

Wholly Outsourced

276 | 277 |

In a wholly outsourced solution, everything regarding the Drupal application is hosted, managed, and under the responsibility (emphasis added) by a third-party vendor. Please note that most hosting services and Drupal vendors do not explicitly take on that responsibility, so be sure to do your due diligence and ensure that they are equally aware of the repercussions of taking on that responsibility. If the third-party vendor does take on that responsibility, you may be eligible for completing SAQ A^D.

278 | 279 |

Version 3.0 Disclaimer

280 | 281 |

Version 3.0 eliminated much of the confusion that existed in version 2.0 with respect to selecting the appropriate SAQ form for each shared-management solution. Previously, one could formulate a strong argument for SAQ A, SAQ C, or some arbitrary hybrid of the two. And given the large difference in the implications for each SAQ type (see Figure 2), it was difficult to confidently make a final determination about each of these shared-management solutions. SAQ A-EP not only introduced a middle ground, but the requirements for SAQ A and SAQ A-EP made it clear with respect to which solution was appropriate for each—iframe and hosted payment page methods are compatible with SAQ A while direct post methods are not.

282 | 283 |

The decision to allow iframe solutions into SAQ A is not without controversy because one can still make the case that a breach of the Drupal application layer can compromise the delivery of the iframe. Therefore, while the final recommendations of this paper are to use iframe and hosted payment page solutions in order to fall within the scope of SAQ A, it is also recommended to always comply with SAQ A-EP (at a minimum) for security reasons and to future proof your Drupal site against the next versions of the PCI-DSS standard.

284 | 285 |

There are other important changes introduced in the 3.0 standard, such as the requirement to have all components of the CDE documented with an explicit determination of responsibility for each component. Also noteworthy is that SAQ C is no longer applicable for eCommerce channels, which means that all merchant-managed solutions must comply with the more rigorous SAQ D. For a full list of changes, please see the Version 3.0 Change Highlights and Summary of Changes from PCI DSS Version 2.0 to 3.0 documents^17,18.

286 | 287 |

Selecting the Appropriate Method

288 | 289 |

SAQ A is obviously desirable and recommended because of its lower risk, time, and cost to implement. However, a company’s business needs may require a solution that is more customizable and that may rule out a wholly outsourced or even shared-management solution.

290 | 291 |

Example: Recurring Payments for Ubercart on Drupal 7

292 | 293 |

As of July 2014, there is no wholly-outsourced or shared-management solution for a Drupal 7 website using Ubercart with a recurring billing requirement. To store a customer’s credit card information directly on Authorize.Net’s servers, one must use the included Ubercart Authorize.Net module and enable the customer information manager (CIM) option. Unfortunately, the way Ubercart implements CIM requires the credit card information to pass through the Drupal application. Therefore this is a Merchant-managed solution, which requires one to adhere to every control item in SAQ D.

294 | 295 |

Author's Note: payment processors like Authorize.Net have the ability to use third-party iframes to integrate with their CIM service and adding this new functionality into the existing Ubercart modules (core or contrib) would make it significantly easier for merchants to achieve compliance. However, requests to add this functionality for Authorize.Net and other payment gateways have been made with no indication that they will be added to a development roadmap¹⁹.

296 | 297 |

Additional Considerations

298 | 299 |

One of the easiest ways to use a shared-management approach is to redirect to a hosted payment page. However, website owners are often resistant to doing this because customers are not always keen on being sent to a third-party site. Additionally, third-party HPPs are not always as customizable in terms of look and feel. Finally, HPP solutions are often more difficult to develop against because one needs to be developing on a public facing URL or IP address in order to get the response back appropriately.

300 | 301 |

With respect to direct post methods using JavaScript (JS), there is always the consideration that a user may have disabled JS by default and therefore be unable to enter a payment at all without prompting them to adjust their browser security settings.

302 | 303 |

There are considerations with respect to which shopping cart method to use (or continue to use) on top of Drupal. Drupal Commerce is much more popular for Drupal 7 and popularity brings more people to fix bugs and contribute modules. However, there is still a significant user base using Ubercart, and while Ubercart has far fewer shared-management payment gateway modules that are publicly available, there is nothing precluding the community from creating them in order to address the newer and more stringent PCI-DSS requirements. The possibility of additional costs to become compliant with Ubercart should be a consideration when evaluating the two solutions.

304 | 305 |

There are also other payment methods on Drupal, such as the stand alone Stripe and Pay modules, which offer a simpler and smaller feature set than Ubercart and Drupal Commerce and may be more appropriate for one time payment solutions.

306 | 307 |

Recommendations

308 | 309 |

There is no one-size-fits-all solution. Each company will have to balance the resources available to become compliant with the features necessary for the business. However, there are some general recommendations that apply across the board. The first is to use Drupal Commerce over Ubercart because Drupal Commerce is more developer focused and has a more consistent code base. It also has more shared-management payment solutions, and that trend is likely to continue. Finally, whenever possible, use a shared-management solution (SAQ A-EP compatible) over a merchant managed solution (SAQ D required) in order to significantly reduce the number of potential security exploits as well as the amount of security controls one has to meet in order to achieve compliance. If available, select an iframe solution (SAQ A compatible) because it further reduces the number of requirements necessary for compliance. However, it's still recommended for those using an iframe or hosted payment page solution to adhere to SAQ A-EP because it'll future proof the CDE as well as adhere to many best practices, which should be implemented regardless.

310 | 311 |

Drupal Specific Exploits

312 | 313 |

To further emphasize the importance of adhering to the PCI standard (for both merchant-managed and shared-management payment solutions), we created a list of the many ways in which a compromised website could be configured in order to steal cardholder data.

314 | 315 |

Direct module manipulation. The codebase could be altered in such a way to email, log, or display cardholder data upon form submission.
Hook alters. Any module could implement a form alter hook to add in additional validation and/or submission functions to grab the cardholder data.
Scripting language. A Flash or JavaScript keylogger or scraper could be used to harvest information as it is typed in and send it to an external server.
HTTPS disabling. A single configuration change can remove HTTPS and user data would be passed unencrypted.
Changing credentials. Hackers could substitute in their own gateway credentials to collect information into a different account.
Modifying a direct post. Modification of the form action or JavaScript code could send the payment information to an alternative server that harvests cardholder data.
Modifying an iframe. Modification of iframe code could be set to load a payment form from another website acting as a man-in-the-middle attack.
Modifying a Hosted Payment Page. Modification of the hosted payment page URL could redirect a customer to an alternative version of the payment site.

325 | 326 |

For specific ways that the Drupal application can be compromised, please visit DrupalSecurityReport.org.

327 | 328 |

Locking Down Drupal for PCI SAQ D

329 | 330 |

This is a non-exhaustive list of ways in which you can harden security at the Drupal level.

331 | 332 |

PCI ASV Scans. The results will alert you to areas of the site you may have looked over.
Hacked module. This module will download a copy of each module and run a diff against them to ensure the code matches what was provided from Drupal.org.
MD5 Check module. This module will run a checksum of each module and provide a security alert if anything has changed.
Deploy full codebase with each release. This will ensure that any tampered files get replaced.
Storing security configurations in code. Example: one can force secure pages to always be enabled by adding its system variables into the settings.php.
Removing credentials from settings.php. One can include a settings.local.php file within settings.php to ensure that sensitive information is not distributed.
Security Updates. Always keep up with the Drupal Security Advisories, which are released every Wednesday.
Paranoia and Security Review Modules. These modules provide and review your Drupal configurations to ensure they adhere to best security practices.
Security Kit Module. This module provides Drupal with various security hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities.
Holistic approach to compliance. Consider PCI DSS compliance as part of the bigger picture of your organization’s compliance requirements. Often organizations will have overlapping compliance requirements from standards such as NIST 800-53, ISO27002, HIPAA, FISMA, and others.

344 | 345 |

Drupal’s Security Team

346 | 347 |

The Drupal security team is a volunteer group of developers who are passionate about keeping Drupal secure. You can follow them by visiting http://drupal.org/security, subscribing to their RSS feeds, joining their group on groups.drupal.org, (see https://www.drupal.org/security-team for more information).

348 | 349 |

Final Message to Drupal Developers

350 | 351 |

The security of a website largely depends on the quality of your work and your attention to detail. Whenever creating custom code, be sure that it complies with best practices. When using other people’s code, be sure to review it to ensure that it is also stable, secure, and community supported. When configuring a site, be sure to leverage modules like Security Review and Coder Review to ensure you are not accidentally opening up a security hole.

352 | 353 |

While you are not necessarily the one responsible for achieving and maintaining a site’s PCI compliance, you are responsible for educating yourself about it as well as notifying your employer and/or client when their decisions will impact the site’s overall security posture.

354 | 355 |

Final Message to Drupal Shops

356 | 357 |

Your responsibility is to protect your business. It is up to you to be exceedingly clear with respect to who is responsible for PCI compliance before, during, and after a site launch. Any service agreements should also include language regarding each party's PCI-DSS compliance responsibilities as well as links to reference materials that provide clients with a means of understanding the implications of these responsibilities.

358 | 359 |

This conversation will ultimately lead to a greater focus on security for all delivered websites. This not only can be a valuable upsell to current clients, but it can become a competitive advantage and even attract new business.

360 | 361 |

Finally, if you are a service provider that offers hosting or managed services for a site that handles credit cards and you agree to take on the PCI DSS responsibilities for your clients, you must comply with all PCI DSS requirements and complete SAQ D as a Service Provider, no matter what shopping cart solutions your clients have implemented.

362 | 363 |

Final Message to Site Owners

364 | 365 |

Your decisions about how you handle credit card data affect the livelihood of your business. While achieving PCI compliance may seem cost prohibitive, the reality is that a security breach could potentially bankrupt a small to medium-size business. Beyond that, the decisions you make also affect the credit of your customers because identity theft can cost thousands of dollars and take months to years to reconcile. Finally, there can be legal and PR consequences that occur as a result of a breach, further affecting your ability to sustain and grow your business.

366 | 367 |

Next Steps

368 | 369 |

Getting started can seem like a daunting task. However, breaking it down into small steps can make this a very manageable process.

370 | 371 |

Assess current setup. Questions to ask: Do you have a site already or are you starting from scratch? Are you using Drupal Commerce or Ubercart? Are you willing to migrate between them if necessary? Are you willing to outsource completely if sales and/or budgets cannot justify an alternative?
Assess requirements. Questions to ask: Which is more important: cost or features? Do you need any complex interactions or feature sets during checkout? Or can you suffice with using a PayPal button and calling it a day?
Reduce CDE Scope. Questions to ask: Is it possible to segment your network so that non-related servers are not maintained behind the same stateful firewalls as your eCommerce servers?
Assess options. Now that you know what you have to work with and what the goals are, evaluate the cost/effort/risk of 2-3 scenarios.
Decide on a method. Ultimately the business owner must pick a specific method balancing all the factors.
Determine responsibilities. Once a decision is made, it’s required to clearly articulate who is responsible for what at each stage in the development cycle. There should also be clear sign off points established.
Complete the relevant SAQ: The Self-Assessment Questionnaire is your key tool for performing a gap analysis and determining whether you are currently compliant.
Prioritize PCI responsibilities. Becoming compliant can take a long time, but some responsibilities are more critical than others. The PCI industry created a document titled The Prioritized Approach to Pursue PCI DSS Compliance, which gives clear guidance on what should be done first to minimize risk during the entire process.
Create plan and execute. Once you’ve identified what needs to be done and created a plan, it’s time to make consistent progress toward checking off items on the list.

382 | 383 |

At any stage, you also may wish to hire a professional to help expedite the process and ensure that your plan is sound. Specifically, you would want to locate a QSA (Qualified Security Assessor), which are organizations that have been qualified by the PCI Council to have their employees assess compliance to the PCI DSS standard.

384 | 385 |

Top 8 Drupal PCI Compliance Myths

386 | 387 |

Author’s Note: This is a trimmed down summary from a longer article²⁰.

388 | 389 |

Drupal is PCI compliant.

390 | 391 |

This is incorrect by itself because Drupal is only one piece of the cardholder data environment (CDE). However, when Drupal is up to date with all of its security patches and when it’s configured properly to meet its portion of the PCI-DSS requirements, then Drupal is PCI compatible. PCI compliance can only be achieved at the CDE level once each component of the CDE has met all the requirements within their area of responsibility.

392 | 393 |

Ubercart and Drupal Commerce are PCI compliant.

394 | 395 |

This is also incorrect in and of itself simply because it’s a component of a larger system. However, the particular payment method chosen within each eCommerce solution can greatly influence how easy it is to become compliant.

396 | 397 |

I use HTTPS, therefore my Drupal website is secure.

398 | 399 |

Securing the transaction from the Drupal application to the payment gateway addresses only one of the 12 sections of the PCI standard. There are a significant number of other vulnerabilities that can exist at the server, network, and application level.

400 | 401 |

I can store numbers/CCV.

402 | 403 |

Storing the 3-4 digit security code is never allowed under any circumstances. Storing the full credit card number at the Drupal layer is extremely risky and should not be done without a considerable amount of attention and expertise.

404 | 405 |

Shared-management Methods are 100% foolproof.

406 | 407 |

This is false because modifying code at the Drupal application layer can result in a man-in-the-middle attack, the introduction of a keylogger, and other exploits.

408 | 409 |

I can achieve PCI compliance using shared hosting.

410 | 411 |

Shared hosting is simply not secure enough for PCI SAQ A-EP or D because there are simply too many users (both customers and employees of the hosting company) that have access to the server and you simply do not have enough control in locking down the system. Technically an iframe solution (SAQ A compatible) could get by on shared hosting, but we strongly recommend against it.

412 | 413 |

I can achieve PCI compliance using cloud hosting.

414 | 415 |

As of July 2014, we are seeing a growing number of reputable hosting providers introducing PCI compliant cloud hosting options. However, you must do your due diligence before immediately accepting their claims. As part of the version 3.0 standard, each party must explicitly agree to the particular sections of the standard that they assume responsibility. Not only should the cloud hosting provider explicitly state that their solution is PCI compliant and they will assume the responsibilities within their jurisdiction, but the cloud hosting provider should also be able to provide documentation (upon request) to validate their claims.

416 | 417 |

Regardless of if you choose to use a cloud or dedicated hardware solution, you must use a PCI DSS certified service provider if you are outsourcing hosting for eCommerce servers.

418 | 419 |

I can set it and forget it.

420 | 421 |

PCI compliance is not a single event that is checked off a list and never revisited. Rather, it’s a continually changing state. If a security exploit is discovered and disclosed for Drupal or the OS running the server Drupal is hosted on, then your site is not PCI compliant. Therefore PCI compliance is a continual process that needs to be maintained through vigilance.

422 | 423 |

Summary

424 | 425 |

Drupal makes it trivial to get an eCommerce site up in minutes, PCI compliance can take months if not setup correctly. And while PCI compliance has many nuances and complexities, it’s a mandatory requirement for the 10’s of thousands of reported Drupal eCommerce installations. Small, incremental steps in learning and implementation are key in achieving and maintaining compliance, protecting your business, customers, and development.

426 | 427 |

References

494 | 495 |

517 | 518 |

Footnotes

519 | 520 |

A. If you qualify as a service provider (SP), you must be SAQ D-SP compliant and you must undergo a full ROC audit by a qualified QSA. Basically, services providers are treated the same as being Level 1, no matter how small of a hosting shop you are.
B. Be advised that a simple matter of handing transactions via fax, terminal, and email in addition to your Drupal site can and often will increase your CDE scope.
C. It should be noted that the stigma against hosted payment pages continues to fade away as it becomes a more common and accepted form of transaction, particularly in the EU.
D. Visit http://www.visa.com/splisting to confirm whether or not a vendor is a valid Service Provider.

526 | 527 |

Reviewers

528 | 529 |

The authors of this paper would like to thank the following individuals for reviewing the paper and providing feedback to improve its accuracy and utility. In alphabetical order: Ryan Cross (rcross), Robert Douglass (robertdouglass), Trent Hein (thein), Michael Hess (mlhess), Dave Long (longwave), Alex Knoll (arknoll), Ryan Szrama (rszrama), Peter Wolanin (pwolanin).

530 | 531 |

Appendix

532 | 533 |

Additional Resources

534 | 535 |

The following is a list of documents that can be found directly from the Official PCI Security Standards Council Site:

536 | 537 |

PCI Standards - All Documents - http://goo.gl/sH1Jx
Navigation PCI DSS - http://goo.gl/lpnno
PCI DSS Quick Reference Guide - http://goo.gl/Z3UZ7
The Prioritized Approach to Pursue PCI DSS Compliance - http://goo.gl/SFZtL
Ten Common Myths of PCI SSC - http://goo.gl/TVtxS
PCI DSS Glossary of Terms, Abbreviations, and Acronyms - http://goo.gl/ab348
PCI Security Standards Council - Overview - http://goo.gl/rQbVs
PCI DSS Self-Assessment Questionnaire (SAQ) Instructions and Guidelines - http://goo.gl/RX0qZ
PCI DSS SAQ C V2.0 - http://goo.gl/HCvY1

548 | 549 |

Disclaimer

550 | 551 |

The authors are not lawyers and the contents of this document do not constitute legal advice. The authors are not responsible or liable for any loss or damages you and/or your business may incur as a result of reading this document. Everyone’s PCI compliance needs will be unique to their specific configurations and business needs. It is up to the reader to due their own due diligence and keep up with the latest information found at the PCI Security Standards Council Site.

552 | 553 |

License

554 | 555 |

This document is Copyright 2013-2014 Rick Manelius, Greg Knaddison, and Ned McClain—CreativeCommons Attribution-No Derivative Works 3.0 Unported http://creativecommons.org/licenses/by-nd/3.0 http://drupalpcicompliance.org/. You may share and re-post the PDF on other sites without modification as long as you clearly link to http://drupalpcicompliance.org/.

556 | 557 | 558 | -------------------------------------------------------------------------------- /DrupalPCICompliance.md: -------------------------------------------------------------------------------- 1 | # Drupal PCI Compliance White Paper 2 | 3 | _Authors:_ 4 | 5 | * Rick Manelius 6 | * Greg Knaddison 7 | * Ned McClain 8 | 9 | v1.2 10 | 11 | August 25th, 2014 12 | 13 | Updated to PCI-DSS 3.0 14 | 15 | ## Introduction 16 | 17 | This document provides a high level overview regarding Payment Card Industry Data Security Standard (PCI DSS) compliance specifically for Drupal eCommerce solutions. The intended audiences include: Drupal developers; companies providing Drupal products, services, and hosting; and businesses evaluating Drupal as part of their eCommerce solution. Goals of this document: to emphasize the importance of PCI compliance; to summarize the options available in becoming and maintaining compliance; to provide clear next steps and additional resources. 18 | 19 | ## Executive Summary 20 | 21 | eCommerce volume continues to grow by double digit percentages each year^[1](#cite-1) as more and more businesses are supplementing their existing revenue models and/or creating new streams ^{[2](#cite-2),[3](#cite-3)}. Simultaneously, Drupal has seen a 21% rise in the number of reported eCommerce installations in 2013 across its very large installation base ^[4](#cite-4). 22 | 23 | Drupal is an attractive eCommerce platform for many reasons: Its Open Source licensing eliminates one time and recurring costs to own and use, it is extremely modular and flexible, and it has a large, passionate, and world wide community that is continually contributing to and growing the platform. The Drupal community also makes a concerted effort when it comes to ensuring the platform is secure. There is a security team, weekly security advisories, venues to discuss security best practices, a collection of tools to help detect security vulnerabilities, and many other security focused strengths. The result is that Drupal is one of the most secure content management and eCommerce solutions available to merchants today. 24 | 25 | However, while it is possible to make a Drupal-based eCommerce environment PCI DSS compliant through proper planning, usage, maintenance, and management, the mere use of Drupal by itself _IS NOT_ sufficient to ensure the level of security necessary to become compliant. First, it’s possible to make Drupal insecure through the use of inappropriate configurations and site mismanagement. Second, Drupal is only a single component of the cardholder data environment (CDE). Hosting servers, networks, and other factors play a significant role in securing the entire end-to-end process. 26 | 27 | How and where the credit card data is processed, transmitted, and stored determines the size, complexity, and risk associated with the cardholder data environment, which directly impacts the time, resources, and expertise required to achieve and maintain compliance. Whenever possible, wholly-outsourced and shared-management implementations can make it easier to complete this process. Merchant-managed solutions are the most cost prohibitive for all but enterprise level companies, and should be avoided unless the business needs require them. 28 | 29 | Regardless of the selected approach, it’s always necessary to adhere to the complete PCI DSS standard because a single exploit can undermine a company's PCI compliance, opening the company up to the financial and legal liabilities associated if the exploit were to be breached. Finally, the standard is becoming more stringent with each new version; therefore, what is optional today is likely to become a requirement in the near future. 30 | 31 | ## Definitions 32 | 33 | The following terms are used extensively throughout this document and are provided here for convenience. 34 | 35 | * **ASV:** Acronym for “Approved Scanning Vendor.” Company approved by the PCI SSC to conduct external vulnerability scanning services. 36 | * **Cardholder Data:** At a minimum, cardholder data consists of the full PAN (primary account number). Cardholder data may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code 37 | * **CDE:** Acronym for “cardholder data environment.” The people, processes and technology that store, process or transmit cardholder data or sensitive authentication data, including any connected system components. 38 | * **Credit Cards:** The term "credit cards" is used in this paper for brevity, but the advice also applies to any debit or prepaid "payment cards." 39 | * **DSS:** Acronym for “Data Security Standard” and also referred to as “PCI DSS.” 40 | * **QSA:** Acronym for “Qualified Security Assessor,” company approved by the PCI SSC to conduct PCI DSS on-site assessments. 41 | * **Payment Cards:** For purposes of PCI DSS, any payment card/device that bears the logo of the founding members of PCI SSC (i.e. Visa, Mastercard). 42 | * **PCI:** Acronym for “Payment Card Industry.” 43 | * **ROC:** Acronym for “Report on Compliance,” which contains details documenting an entity’s compliance status with the PCI DSS. 44 | * **SAQ:** Acronym for “Self-Assessment Questionnaire,” a checklist that you must complete and adhere to in order to obtain and maintain PCI compliance. 45 | * **SSC:** Acronym for “Security Standards Council,” it is the governing organization and open forum responsible for the development, management, education, and awareness of PCI Security Standards. 46 | 47 | A full list of definitions can be found in the PCI document titled _Glossary of Terms, Abbreviations, and Acronyms_ ^[5](#cite-5). 48 | 49 | ## Why Does PCI Compliance Matter for Drupal? 50 | PCI compliance is important for the industry as a whole as well as companies specifically using Drupal as part of their eCommerce solution. Here are several key areas to underscore the recommendation and requirement to adhere to PCI compliance. 51 | 52 | ### Trust 53 | 54 | Online credit card transactions have become so common and accepted in our society that it's easy to forget what is at stake. When a thief goes after physical credit cards the amount of financial loss to a financial institution or merchant is limited in size and quantity because each card has to be stolen one at a time. However in the case of electronic payments, a single computer hacker can potentially breach multiple websites with the same exploit and steal hundreds, thousands, or even millions of people's credit card data. The financial loss by a financial institution and the number of people affected in a website compromise can be staggering. 55 | 56 | While these scenarios do in fact happen, their frequency is far outweighed by the volume of transactions that are handled securely. This is in part because of the set of security standards set forth by the Payment Card Industry. When properly applied, the risk level for transactions goes down significantly, which leads to more consumer trust in merchants, the process, and the industry as a whole can continue to expand. However, if this trust is broken, consumers will lose this confidence and seek other merchants and means of payment. 57 | 58 | ### Privilege 59 | 60 | A merchant's ability to accept credit card payments is a privilege, not a right. The Payment Card Industry has established a system of payment that is convenient for consumers and business owners. It is their system and they get to set the requirements. Anyone accepting online payments must sign a contract and/or accept a terms of use agreement that explicitly states the merchants responsibility to adhere to these requirements (unfortunately this isn't always emphasized in the sign up process, so be sure to read through the fine print). If a merchant fails to adhere to these requirements their ability to accept credit cards as a form of payment can be suspended. 61 | 62 | ### Distributed Components 63 | 64 | Every component between a customer’s browser window and the payment processor makes up the Cardholder Data Environment (CDE). If one only focuses on securing a single component, the weakest link in the chain can be the source of an exploit. Therefore it’s not enough to simply secure Drupal. The PCI standard provides guidance on how to make sure all components are secured. 65 | 66 | _Author's Note: It's important to note that ALL systems connected to the same network that's behind the same stateful firewall as the eCommerce server are also considered part of the CDE. Therefore, a common strategy is to segment the network such that only the eCommerce relevant components are together in a carefully protected network, thus reducing the overall scope for PCI DSS compliance._ 67 | 68 | ### Distributed Companies 69 | 70 | It’s not common for one company to control the entire end-to-end process of handling a credit card transaction. Therefore, it’s important to know exactly how these companies distribute the responsibility as well as liability for ensuring this process is secure. 71 | 72 | ### Financial 73 | 74 | If you ever face a security breach and credit card information is stolen, having a proven record of your PCI compliance can protect you from the financial penalties (ranging from $25 to $215 per compromised card^[6](#cite-6)). Major corporations, such as Heartland Payment Systems, have faced fines as large as $12.5 million^[7](#cite-7). In addition to fines, your organization and brand can suffer financially due to a breach. Target Brands, Inc. attributed a portion of its 5.3% loss in sales and a 46% drop in profit during the 4th quarter of 2013 to its security breach in November of that year, which resulted in 40 million compromised credit card records^[8](#cite-8). Small companies are equally at risk, accounting for 80% of all instances of unauthorized access^[9](#cite-9). And while a smaller company might have a low quantity of transactions (and therefore a smaller fine), any company that has a reported breach on their record must undergo mandatory Report On Compliance audits, which alone can cost tens of thousands of dollars. 75 | 76 | ### Public Relations 77 | 78 | Beyond the financial burden of dealing with a breach, the loss of trust for a company's website, business, and brand can be staggering. The Sony PlayStation breach put more than 77 million credit card numbers at risk ^{[10](#cite-10)}. The ramifications of alerting a user base and requiring that many users to change their cards and/or put a freeze on their credit cards can quickly lose current and future customers. These transactions can also impact customer credit scores if they unknowingly overdraft or miss a payment they were not expecting. 79 | 80 | ### Summary 81 | 82 | While developers and businesses may see this standard as a nuisance, it’s important to realize that these standards allow the industry as a whole to provide the level of security and trust necessary to keep it growing. The PCI DSS should be considered a baseline, minimal level of security for sites handling sensitive information - your site very well may need security controls that exceed this standard. Also adhering to the standards helps ensure protection for the business (legal, PR, and financial), as well as your customers (legal, financial). 83 | 84 | ## The Standard Itself 85 | 86 | _Note: This paper specifically excludes PA-DSS because Drupal is Open Source Software and (whether right or wrong) falls outside the PA-DSS standard._ 87 | 88 | The PCI-DSS standard covers 12 requirements across 5 overarching categories^{[11](#cite-11)}. Rather than restate what is already provided in the materials from the PCI council, the focus here is to specifically identify why each requirement directly affects the security of Drupal within the context of a complete CDE. 89 | 90 | ### Requirement 1. Install and Maintain a Firewall 91 | 92 | The integrity of a Drupal code base can only be maintained if access to the server is restricted and protected by a stateful firewall. A lax or nonexistent firewall policy provides more ways for an attacker to find a vulnerability, gain access to the server, and modify the code on the system, which opens the door for harvesting credit card numbers. 93 | 94 | ### Requirement 2. Do Not Use Vendor Supplied Default Passwords 95 | 96 | This should be obvious, but any component of your system that has a known default password can be vulnerable if it’s not reset immediately. A Drupal specific example is the Commerce Kickstart installation profile. By default, it sets the main administrator username and password to “admin.” This should only be used for testing/evaluation purposes and should never be used for a live site. 97 | 98 | ### Requirement 3. Protect Stored Data 99 | 100 | Ideally credit cards are not being stored on a Drupal website at all. If they are stored, they must be encrypted (e.g. using a hardware security module or an encryption key management solution) in such a manner that anything with access to the database, server, or network cannot decode the information in a manner that is not intended. Achieving this is non-trivial and should only be attempted after gaining close familiarity with the PCI SAQ D standard (see the section _Self-Assessment Questionnaire_ for definitions of the SAQ validation types). 101 | 102 | ### Requirement 4. Encrypt transmission of cardholder data across open, public networks 103 | 104 | The data leaving the Drupal application travels through many routers and networks on the way to the payment processor. Unencrypted data would allow any component along that path to copy cardholder data and other sensitive information. Therefore, encryption with a trusted SSL certificate is a requirement. 105 | 106 | ### Requirement 5. Use and regularly update anti-virus software or programs 107 | 108 | If malware is installed on a server running Drupal, it can be difficult or impossible to verify the integrity of the codebase, which opens the door for access to credit card data. 109 | 110 | ### Requirement 6. Develop and maintain secure systems and applications 111 | 112 | It’s simply not enough to “set it and forget it” when it comes to all components of the CDE. A single discovered vulnerability at the network, server, and/or Drupal app layer has the potential for exploitation. Drupal security advisories are posted every Wednesday and should be watched regularly for any updates affecting Drupal core and/or contributed modules a site is using. Likewise, critical operating system and support software (Apache, PHP, MySQL, and other server software.) patches must be applied within 30 days of release. 113 | 114 | ### Requirement 7. Restrict access to cardholder data by business need-to-know 115 | 116 | This requirement impacts not only application design, but also account and server management. For example, the server that houses your eCommerce site should not be used as a place where anyone can connect via FTP using a shared password and upload photos from the company picnic. Any one of those individuals’ machines could be used to gain authorized access to the CDE code base and/or card data itself. 117 | 118 | ### Requirement 8. Assign a unique ID to each person with computer access 119 | 120 | Sharing usernames and passwords leaves less detail for actions occurring for each individual user. It also generally leads to other bad practices, such as creating weak passwords and sharing them over insecure channels like email. Never share your “user 1” or root login information between staff. 121 | 122 | ### Requirement 9. Restrict physical access to cardholder data 123 | 124 | Similar to Requirement 1, access to the server must be protected at all times. If a person without proper clearance can physically access a server, they can potentially gain root/administrator access and compromise the database and Drupal application layer. If you outsource hosting, ensure the provider is PCI DSS compliant. 125 | 126 | ### Requirement 10. Track and monitor all access to network resources and cardholder data 127 | 128 | Audit trails are critical for identifying changes in the system because a single code or configuration alteration can open up a security vulnerability. Having the ability to identify exactly what changed and who changed it is very important for verifying the integrity of a system. 129 | 130 | ### Requirement 11. Regularly test security systems and processes 131 | 132 | It’s not enough to have a system that works in theory. Periodic vulnerability scans and full penetration tests are necessary to prove that the system responds as expected. These tests have to be run regularly (at least quarterly) and are ideally run whenever there is a configuration or code change that could introduce a new vulnerability. Ensure you are using an officially Authorized Scanning Vendor (ASV) as listed on the PCI site^{[12](#cite-12)}. 133 | 134 | ### Requirement 12. Maintain a policy that addresses information security for all personnel 135 | 136 | All the hardware testing, security scans, and audits in the world will not help if people are allowed to use insecure passwords or send full credit card numbers via unencrypted channels like email. The human element is often the weakest link in the security chain. A security policy is required to ensure ALL employees know and understand what is acceptable and what is not with respect to maintaining compliance. 137 | 138 | ## Self-Assessment Questionnaire 139 | 140 | Knowing how to get started can seem overwhelming at first. Thankfully, the PCI council has provided detailed reference guides and instructions^{[13](#cite-13)}. All of these materials culminate to your Self-Assessment Questionnaire. This form is essentially a checklist that you must complete and adhere to in order to obtain and maintain PCI compliance. 141 | 142 | Your credit card processor and acquiring bank are required to ask you for annual SAQ forms - if they haven’t asked yet, they will soon! 143 | 144 | The key is determining which SAQ you should be filling out because they vary wildly in terms of quantity of responsibilities and the amount of time and effort it takes to complete them. SAQ A has 14 items and usually can be completed in under a day if not within a couple of hours. SAQ D contains between 326 and 347 items and can take months of time and millions of dollars to achieve^{[14](#cite-14)}. The following section will help you make sense of these different levels and how you can select the method that balances your business needs with your ability to achieve compliance. 145 | 146 | ### Determining Your Responsibilities 147 | 148 | The quantity and difficulty of your PCI responsibilities are a result of your merchant level (which is based on the volume of transactions) and your validation type (which is based on how you’re conducting transactions). 149 | 150 | ### Merchant Level 151 | 152 | The PCI council has defined 4 levels of transaction volume (Figure 1) 153 | 154 | ![](images/figures/PCI-levels-visa-cardbrand-2013-06-10.png "A table showing the 4 levels of PCI compliance transaction volumes for VISA card brand.") 155 | 156 | *Figure 1. The 4 levels of transaction volumes for VISA card brand. Other card brands (e.g. MasterCard, American Express.) have different reporting and validation requirements. Image Source http://usa.visa.com/merchants/risk_management/cisp_merchants.html* 157 | 158 | There are a few important points to emphasize for the Visa card brand: 159 | 160 | * Compliance begins at transaction #1. 161 | * Even though validation is optional at level 4, compliance is still mandatory. 162 | * If a breach occurs and is reported, a company immediately moves to level 1 regardless of its transaction volume. 163 | * Level 1 validation involves more stringent auditing process, including a mandated third-party audit, which adds additional time and money to stay compliant. 164 | 165 | ### Validation Type 166 | 167 | The PCI council defines 8 different validation types: 168 | 169 | ![](images/figures/PCI-saq-breakdown.png "Breakdown of PCI types as a function of merchant’s activities.") 170 | 171 | *Figure 2. Breakdown of PCI-DSS version 3.0 SAQ types as a function of merchant activities.* 172 | 173 | For the purposes of a typical Drupal eCommerce site, the SAQ A, A-EP, and D are the most relevant types^{[A](#footnote-A), [B](#footnote-B)}. It is also extremely important to understand which type the system falls into because there is a large difference in time, effort, risk, and expense in achieving compliance. 174 | 175 | ![](images/figures/PCI-typical-costs-per-saq-type.png "Approximate PCI compliance costs per SAQ type. Factors include audits ($30,000-$100,000), time spent meeting each requirement, and more.") 176 | 177 | *Figure 3. Approximate PCI compliance costs per SAQ type. Factors include audits ($30,000-$100,000), time spent meeting each requirement, and more.* 178 | 179 | For many eCommerce stores, selecting a payment method that places them in type C or D can be cost prohibitive. However, achieving SAQ A or A-EP is not always possible given the available payment gateway options that can satisfy a business's feature requirements, which drives the expansion or reduction of the CDE and ultimately determines the validation type. 180 | 181 | ### Drupal Specific Examples 182 | 183 | The shopping cart selected (Drupal Commerce, Ubercart, Pay, Stripe, etc) and the payment method within that shopping cart (hosted payment page, direct post, iframe, onsite.) are usually the most significant factors in expanding or reducing the CDE, which directly impacts the SAQ type. Here are some situations that may force one into SAQ D: 184 | 185 | * A client that wants complete control over the checkout process may shy away from hosted payment pages, which may be the only viable shared-management option for a particular payment gateway^{[C](#footnote-C)}. 186 | * A client sometimes must use a particular payment gateway because of an existing contract/business relationship, and that gateway may offer no shared-management options. 187 | 188 | ## Overview of Payment Methods 189 | 190 | The PCI council defines 3 types of payment methods: Merchant-managed, Shared-management, and Wholly-outsourced. 191 | 192 | ### Merchant-managed 193 | 194 | A general guideline is that if the company’s servers store, transmit, or handle cardholder data, then it’s merchant managed. An example would be customer submitting a payment directly on a Drupal site using Ubercart connected to Authorize.Net because a customer’s payment information passes through the merchant’s webserver on the way to being sent to Authorize.Net. It does not matter if the merchant is storing the data on their servers, since a hacker could gain access if they were able to compromise the server. 195 | 196 | Onsite payments posted directly back to Drupal (i.e. an HTTP POST request containing the cardholder data is submitted to the Drupal application, which results in a bootstrap and the passing of the cardholder data through the form API) immediately fall into SAQ D. 197 | 198 | Merchant-managed examples: 199 | 200 | * Authorize.Net Automated Recurring Billing (ARB) 201 | * Authorize.Net Customer Information Manager (CIM) 202 | * PayPal Payments Standard (PPS) 203 | 204 | ### Shared-management 205 | 206 | In a shared-management approach, the credit card information never touches the server that is running the Drupal application. This is generally accomplished by one of 3 approaches: 207 | 208 | * Hosted Payment Page (HPP) 209 | * Direct Post 210 | * Inline Frame (iframe) 211 | 212 | A HPP approach is where a user is redirected from a Drupal site to a third-party site in order to enter their payment details. If the transaction is successful, the customer is redirected back to the Drupal site with the payment authorization details. Depending on the specific payment gateway's security requirements, these payment authorization details may get sent back to the payment gateway's API to further validate the payment. 213 | 214 | Example HPP solutions: 215 | 216 | * Authorize.Net Server Integration Method (SIM) 217 | * PayPal Payments Standard (PPS) 218 | * PayPal Express Checkout (EC) 219 | 220 | A direct post approach is where the customer remains on the website, but their card data is submitted directly from the customer’s browser to the payment gateway and a response is sent directly back to the customer with a one time authentication code or "token" that is then used by Drupal to immediately communicate with the payment gateway's API to validate the payment. There are two flavors of direct post: setting an HTML form's action attribute to a 3rd party API endpoint or achieving the same with Javascript. 221 | 222 | Example direct post solutions: 223 | 224 | * Authorize.Net Direct Post Method (DPM) 225 | * Braintree Payments 226 | * Stripe 227 | 228 | An iframe approach is where the payment details portion of the checkout form is loaded through an iframe directly from the payment processor. Similar to a direct post strategy, an iframe gives the customer the impression they are always on site while the credit card details are sent directly to the payment gateway. 229 | 230 | Example iframe solutions: 231 | 232 | * Hosted PCI 233 | * Authorize.Net Hosted Customer Information Manager (CIM) 234 | * PayPal Payments Advanced (PPA) 235 | * PayPal Payflow Link (PFL) 236 | 237 | The common denominator in all shared-management configurations is that the checkout process begins on Drupal website (a component of the CDE) managed by the merchant, but the customer is technically sending their credit card credentials directly to the payment processor’s CDE. This occurs by redirection (HPP), loading a payment form from their servers (iframe), or posting the form directly through JavaScript or the action attribute on an HTML form (direct post). 238 | 239 | One might assume that a shared-management approach would qualify them for SAQ A. However, section 3.4.3 in the _PCI DSS eCommerce Guidelines Supplement_ document makes it clear that each shared-management method has vulnerabilities ^{[15](#cite-15)}, which are described in more detail below. Furthermore, _Understanding the SAQs for PCI DSS v3.0_ (in addition to the SAQ A and SAQ A-EP v3.0 forms) specifically states that direct post solutions cannot qualify for SAQ A and must use SAQ A-EP^{[16](#cite-16)}. 240 | 241 | Frustrating as this may be for those wanting to achieve PCI SAQ A, the good news is that using a direct post or hosted payment page solution can still qualify as SAQ A-EP, which is much easier to achieve in comparison to SAQ D because a significant amount of the responsibility can still be considered outsourced. 242 | 243 | ### Wholly Outsourced 244 | 245 | In a wholly outsourced solution, everything regarding the Drupal application is hosted, managed, and under the responsibility (emphasis added) by a third-party vendor. Please note that most hosting services and Drupal vendors do not explicitly take on that responsibility, so be sure to do your due diligence and ensure that they are equally aware of the repercussions of taking on that responsibility. If the third-party vendor does take on that responsibility, you may be eligible for completing SAQ A^{[D](#footnote-D)}. 246 | 247 | ### Version 3.0 Disclaimer 248 | 249 | Version 3.0 eliminated much of the confusion that existed in version 2.0 with respect to selecting the appropriate SAQ form for each shared-management solution. Previously, one could formulate a strong argument for SAQ A, SAQ C, or some arbitrary hybrid of the two. And given the large difference in the implications for each SAQ type (see Figure 2), it was difficult to confidently make a final determination about each of these shared-management solutions. SAQ A-EP not only introduced a middle ground, but the requirements for SAQ A and SAQ A-EP made it clear with respect to which solution was appropriate for each—iframe and hosted payment page methods are compatible with SAQ A while direct post methods are not. 250 | 251 | The decision to allow iframe solutions into SAQ A is not without controversy because one can still make the case that a breach of the Drupal application layer can compromise the delivery of the iframe. Therefore, while the final recommendations of this paper are to use iframe and hosted payment page solutions in order to fall within the scope of SAQ A, it is also recommended to always comply with SAQ A-EP (at a minimum) for security reasons and to future proof your Drupal site against the next versions of the PCI-DSS standard. 252 | 253 | There are other important changes introduced in the 3.0 standard, such as the requirement to have all components of the CDE documented with an explicit determination of responsibility for each component. Also noteworthy is that SAQ C is no longer applicable for eCommerce channels, which means that all merchant-managed solutions must comply with the more rigorous SAQ D. For a full list of changes, please see the _Version 3.0 Change Highlights_ and _Summary of Changes from PCI DSS Version 2.0 to 3.0_ documents^{[17](#cite-17),[18](#cite-18)}. 254 | 255 | ## Selecting the Appropriate Method 256 | 257 | SAQ A is obviously desirable and recommended because of its lower risk, time, and cost to implement. However, a company’s business needs may require a solution that is more customizable and that may rule out a wholly outsourced or even shared-management solution. 258 | 259 | ### Example: Recurring Payments for Ubercart on Drupal 7 260 | 261 | As of July 2014, there is no wholly-outsourced or shared-management solution for a Drupal 7 website using Ubercart with a recurring billing requirement. To store a customer’s credit card information directly on Authorize.Net’s servers, one must use the included Ubercart Authorize.Net module and enable the customer information manager (CIM) option. Unfortunately, the way Ubercart implements CIM requires the credit card information to pass through the Drupal application. Therefore this is a Merchant-managed solution, which requires one to adhere to every control item in SAQ D. 262 | 263 | _Author's Note: payment processors like Authorize.Net have the ability to use third-party iframes to integrate with their CIM service and adding this new functionality into the existing Ubercart modules (core or contrib) would make it significantly easier for merchants to achieve compliance. However, requests to add this functionality for Authorize.Net and other payment gateways have been made with no indication that they will be added to a development roadmap^{[19](#cite-19)}._ 264 | 265 | ## Additional Considerations 266 | 267 | One of the easiest ways to use a shared-management approach is to redirect to a hosted payment page. However, website owners are often resistant to doing this because customers are not always keen on being sent to a third-party site. Additionally, third-party HPPs are not always as customizable in terms of look and feel. Finally, HPP solutions are often more difficult to develop against because one needs to be developing on a public facing URL or IP address in order to get the response back appropriately. 268 | 269 | With respect to direct post methods using JavaScript (JS), there is always the consideration that a user may have disabled JS by default and therefore be unable to enter a payment at all without prompting them to adjust their browser security settings. 270 | 271 | There are considerations with respect to which shopping cart method to use (or continue to use) on top of Drupal. Drupal Commerce is much more popular for Drupal 7 and popularity brings more people to fix bugs and contribute modules. However, there is still a significant user base using Ubercart, and while Ubercart has far fewer shared-management payment gateway modules that are publicly available, there is nothing precluding the community from creating them in order to address the newer and more stringent PCI-DSS requirements. The possibility of additional costs to become compliant with Ubercart should be a consideration when evaluating the two solutions. 272 | 273 | There are also other payment methods on Drupal, such as the stand alone Stripe and Pay modules, which offer a simpler and smaller feature set than Ubercart and Drupal Commerce and may be more appropriate for one time payment solutions. 274 | 275 | ## Recommendations 276 | 277 | There is no one-size-fits-all solution. Each company will have to balance the resources available to become compliant with the features necessary for the business. However, there are some general recommendations that apply across the board. The first is to use Drupal Commerce over Ubercart because Drupal Commerce is more developer focused and has a more consistent code base. It also has more shared-management payment solutions, and that trend is likely to continue. Finally, whenever possible, use a shared-management solution (SAQ A-EP compatible) over a merchant managed solution (SAQ D required) in order to significantly reduce the number of potential security exploits as well as the amount of security controls one has to meet in order to achieve compliance. If available, select an iframe solution (SAQ A compatible) because it further reduces the number of requirements necessary for compliance. However, it's still recommended for those using an iframe or hosted payment page solution to adhere to SAQ A-EP because it'll future proof the CDE as well as adhere to many best practices, which should be implemented regardless. 278 | 279 | ## Drupal Specific Exploits 280 | 281 | To further emphasize the importance of adhering to the PCI standard (for both merchant-managed and shared-management payment solutions), we created a list of the many ways in which a compromised website could be configured in order to steal cardholder data. 282 | 283 | * **Direct module manipulation.** The codebase could be altered in such a way to email, log, or display cardholder data upon form submission. 284 | * **Hook alters.** Any module could implement a form alter hook to add in additional validation and/or submission functions to grab the cardholder data. 285 | * **Scripting language.** A Flash or JavaScript keylogger or scraper could be used to harvest information as it is typed in and send it to an external server. 286 | * **HTTPS disabling.** A single configuration change can remove HTTPS and user data would be passed unencrypted. 287 | * **Changing credentials.** Hackers could substitute in their own gateway credentials to collect information into a different account. 288 | * **Modifying a direct post.** Modification of the form action or JavaScript code could send the payment information to an alternative server that harvests cardholder data. 289 | * **Modifying an iframe.** Modification of iframe code could be set to load a payment form from another website acting as a man-in-the-middle attack. 290 | * **Modifying a Hosted Payment Page.** Modification of the hosted payment page URL could redirect a customer to an alternative version of the payment site. 291 | 292 | For specific ways that the Drupal application can be compromised, please visit DrupalSecurityReport.org. 293 | 294 | ## Locking Down Drupal for PCI SAQ D 295 | 296 | This is a non-exhaustive list of ways in which you can harden security at the Drupal level. 297 | 298 | * **PCI ASV Scans.** The results will alert you to areas of the site you may have overlooked. 299 | * **Hacked module.** This module will download a copy of each module and run a diff against them to ensure the code matches what was provided from Drupal.org. 300 | * **MD5 Check module.** This module will run a checksum of each module and provide a security alert if anything has changed. 301 | * **Deploy full codebase with each release.** This will ensure that any tampered files get replaced. 302 | * **Storing security configurations in code.** Example: one can force secure pages to always be enabled by adding its system variables into the settings.php. 303 | * **Removing credentials from settings.php.** One can include a settings.local.php file within settings.php to ensure that sensitive information is not distributed. 304 | * **Security Updates.** Always keep up with the Drupal Security Advisories, which are released every Wednesday. 305 | * **Paranoia and Security Review Modules.** These modules provide and review your Drupal configurations to ensure they adhere to best security practices. 306 | * **Security Kit Module.** This module provides Drupal with various security hardening options. This lets you mitigate the risks of exploitation of different web application vulnerabilities. 307 | * **Holistic approach to compliance.** Consider PCI DSS compliance as part of the bigger picture of your organization’s compliance requirements. Often organizations will have overlapping compliance requirements from standards such as NIST 800-53, ISO27002, HIPAA, FISMA, and others. 308 | 309 | ## Drupal’s Security Team 310 | 311 | The Drupal security team is a volunteer group of developers who are passionate about keeping Drupal secure. You can follow them by visiting http://drupal.org/security, subscribing to their RSS feeds, joining their group on groups.drupal.org, (see https://www.drupal.org/security-team for more information). 312 | 313 | ## Final Message to Drupal Developers 314 | 315 | The security of a website largely depends on the quality of your work and your attention to detail. Whenever creating custom code, be sure that it complies with best practices. When using other people’s code, be sure to review it to ensure that it is also stable, secure, and community supported. When configuring a site, be sure to leverage modules like Security Review and Coder Review to ensure you are not accidentally opening up a security hole. 316 | 317 | While you are not necessarily the one responsible for achieving and maintaining a site’s PCI compliance, you are responsible for educating yourself about it as well as notifying your employer and/or client when their decisions will impact the site’s overall security posture. 318 | 319 | ## Final Message to Drupal Shops 320 | 321 | Your responsibility is to protect your business. It is up to you to be exceedingly clear with respect to who is responsible for PCI compliance before, during, and after a site launch. Any service agreements should also include language regarding each party's PCI-DSS compliance responsibilities as well as links to reference materials that provide clients with a means of understanding the implications of these responsibilities. 322 | 323 | This conversation will ultimately lead to a greater focus on security for all delivered websites. This not only can be a valuable upsell to current clients, but it can become a competitive advantage and even attract new business. 324 | 325 | Finally, if you are a service provider that offers hosting or managed services for a site that handles credit cards and you agree to take on the PCI DSS responsibilities for your clients, you must comply with all PCI DSS requirements and complete SAQ D as a Service Provider, no matter what shopping cart solutions your clients have implemented. 326 | 327 | ## Final Message to Site Owners 328 | 329 | Your decisions about how you handle credit card data affect the livelihood of your business. While achieving PCI compliance may seem cost prohibitive, the reality is that a security breach could potentially bankrupt a small to medium-size business. Beyond that, the decisions you make also affect the credit of your customers because identity theft can cost thousands of dollars and take months to years to reconcile. Finally, there can be legal and PR consequences that occur as a result of a breach, further affecting your ability to sustain and grow your business. 330 | 331 | ## Next Steps 332 | 333 | Getting started can seem like a daunting task. However, breaking it down into small steps can make this a very manageable process. 334 | 335 | * **Assess current setup.** Questions to ask: Do you have a site already or are you starting from scratch? Are you using Drupal Commerce or Ubercart? Are you willing to migrate between them if necessary? Are you willing to outsource completely if sales and/or budgets cannot justify an alternative? 336 | * **Assess requirements.** Questions to ask: Which is more important: cost or features? Do you need any complex interactions or feature sets during checkout? Or can you suffice with using a PayPal button and calling it a day? 337 | * **Reduce CDE Scope.** Questions to ask: Is it possible to segment your network so that non-related servers are not maintained behind the same stateful firewalls as your eCommerce servers? 338 | * **Assess options.** Now that you know what you have to work with and what the goals are, evaluate the cost/effort/risk of 2-3 scenarios. 339 | * **Decide on a method.** Ultimately the business owner must pick a specific method balancing all the factors. 340 | * **Determine responsibilities.** Once a decision is made, it’s required to clearly articulate who is responsible for what at each stage in the development cycle. There should also be clear sign off points established. 341 | * **Complete the relevant SAQ:** The Self-Assessment Questionnaire is your key tool for performing a gap analysis and determining whether you are currently compliant. 342 | * **Prioritize PCI responsibilities.** Becoming compliant can take a long time, but some responsibilities are more critical than others. The PCI industry created a document titled The Prioritized Approach to Pursue PCI DSS Compliance, which gives clear guidance on what should be done first to minimize risk during the entire process. 343 | * **Create plan and execute.** Once you’ve identified what needs to be done and created a plan, it’s time to make consistent progress toward checking off items on the list. 344 | 345 | At any stage, you also may wish to hire a professional to help expedite the process and ensure that your plan is sound. Specifically, you would want to locate a QSA (Qualified Security Assessor), which are organizations that have been qualified by the PCI Council to have their employees assess compliance to the PCI DSS standard. 346 | 347 | ## Top 8 Drupal PCI Compliance Myths 348 | 349 | _Author’s Note: This is a trimmed down summary from a longer article^{[20](#cite-20)}._ 350 | 351 | ### Drupal is PCI compliant. 352 | 353 | This is incorrect by itself because Drupal is only one piece of the cardholder data environment (CDE). However, when Drupal is up to date with all of its security patches and when it’s configured properly to meet its portion of the PCI-DSS requirements, then Drupal is PCI *compatible*. PCI compliance can only be achieved at the CDE level once each component of the CDE has met all the requirements within their area of responsibility. 354 | 355 | ### Ubercart and Drupal Commerce are PCI compliant. 356 | 357 | This is also incorrect in and of itself simply because it’s a component of a larger system. However, the particular payment method chosen within each eCommerce solution can greatly influence how easy it is to become compliant. 358 | 359 | ### I use HTTPS, therefore my Drupal website is secure. 360 | 361 | Securing the transaction from the Drupal application to the payment gateway addresses only one of the 12 sections of the PCI standard. There are a significant number of other vulnerabilities that can exist at the server, network, and application level. 362 | 363 | ### I can store numbers/CCV. 364 | 365 | Storing the 3-4 digit security code is never allowed under any circumstances. Storing the full credit card number at the Drupal layer is extremely risky and should not be done without a considerable amount of attention and expertise. 366 | 367 | ### Shared-management Methods are 100% foolproof. 368 | 369 | This is false because modifying code at the Drupal application layer can result in a man-in-the-middle attack, the introduction of a keylogger, and other exploits. 370 | 371 | ### I can achieve PCI compliance using shared hosting. 372 | 373 | Shared hosting is simply not secure enough for PCI SAQ A-EP or D because there are simply too many users (both customers and employees of the hosting company) that have access to the server and you simply do not have enough control in locking down the system. Technically an iframe solution (SAQ A compatible) could get by on shared hosting, but we strongly recommend against it. 374 | 375 | ### I can achieve PCI compliance using cloud hosting. 376 | 377 | As of July 2014, we are seeing a growing number of reputable hosting providers introducing PCI compliant cloud hosting options. However, you must do your due diligence before immediately accepting their claims. As part of the version 3.0 standard, each party must explicitly agree to the particular sections of the standard that they assume responsibility. Not only should the cloud hosting provider explicitly state that their solution is PCI compliant and they will assume the responsibilities within their jurisdiction, but the cloud hosting provider should also be able to provide documentation (upon request) to validate their claims. 378 | 379 | Regardless of if you choose to use a cloud or dedicated hardware solution, you must use a PCI DSS certified service provider if you are outsourcing hosting for eCommerce servers. 380 | 381 | ### I can set it and forget it. 382 | 383 | PCI compliance is not a single event that is checked off a list and never revisited. Rather, it’s a continually changing state. If a security exploit is discovered and disclosed for Drupal or the OS running the server Drupal is hosted on, then your site is not PCI compliant. Therefore PCI compliance is a continual process that needs to be maintained through vigilance. 384 | 385 | ## Summary 386 | 387 | Drupal makes it trivial to get an eCommerce site up in minutes, PCI compliance can take months if not setup correctly. And while PCI compliance has many nuances and complexities, it’s a mandatory requirement for the 10’s of thousands of reported Drupal eCommerce installations. Small, incremental steps in learning and implementation are key in achieving and maintaining compliance, protecting your business, customers, and development. 388 | 389 | ## Sponsors 390 | 391 | ### AppliedTrust 392 | 393 | ![](images/sponsors/logo-appliedtrust.png "AppliedTrust Logo") 394 | 395 | AppliedTrust provides IT infrastructure, security, and opensource consulting services. The company serves clients in a variety of industries, including healthcare, financial services, recreation and government. AppliedTrust is a PCI DSS Qualified Security Assessor. 396 | 397 | [http://www.appliedtrust.com](http://www.appliedtrust.com) 398 | 399 | ### Card.com 400 | 401 | ![](images/sponsors/logo-card.png "Card.com") 402 | 403 | CARD.com creates Fair, Fashionable and Fun online payments solutions. CARD.com prepaid Visa cards are your connection to what you love. With FDIC insured accounts, ATM acces, smartphone apps and online tools to manage your account, CARD.com provides full service payment solutions. We are always looking for great brands with large communities looking to extend their connection via branded debit cards or other interesting ideas in the payments industry. Our team is growing, see CARD.com/careers. 404 | 405 | [https://www.card.com](https://www.card.com) 406 | 407 | ### CrossFunctional 408 | 409 | ![](images/sponsors/logo-crossfunctional.png "CrossFunctional") 410 | 411 | CrossFunctional is a Sydney-based online solutions provider with proven expertise in Drupal, WordPress and other open source systems. In operation since 2008, we have grown to provide services at multiple levels and across multiple industries. 412 | 413 | [http://crossfunctional.net](http://crossfunctional.net) 414 | 415 | ### Commerce Guys 416 | 417 | ![](images/sponsors/logo-commerce-guys.png "Commerce Guys") 418 | 419 | Commerce Guys is the software company behind Drupal Commerce, the eCommerce solution that capitalizes on the virtues and power of Drupal, the premier open-source content management system. We focus our knowledge and expertise on providing online merchants with the powerful, responsive, innovative eCommerce solutions they need to thrive. 420 | 421 | [http://commerceguys.com](http://commerceguys.com) 422 | 423 | ### NEWMEDIA 424 | 425 | ![](images/sponsors/logo-newmedia.png "NEWMEDIA") 426 | 427 | We love web design, whatever you call it nowadays. UI/UX, interface design, you name it. Our clients are not just in Denver, CO, but also all over the USA; many are even overseas. We don't just make websites look pretty, though; we develop complicated websites in-house as well. Yes, we may well be the most established provider of Drupal web development services in Colorado. 428 | 429 | [http://www.newmediadenver.com](http://www.newmediadenver.com) 430 | 431 | ### Townsend Security 432 | 433 | ![](images/sponsors/logo-townsend-security.png "Townsend Security") 434 | 435 | Townsend Security creates encryption and key management solutions that help organizations meet compliance requirements and mitigate the risk of data breaches. Over 3,000 companies worldwide trust Townsend Security’s NIST and FIPS 140-2 validated solutions to meet the requirements in PCI DSS, HIPAA, FISMA, and other regulations. Learn more about [Key Connection for Drupal](http://www.townsendsecurity.com/drupal?utm_campaign=Drupal%20PCI%20White%20Paper&utm_source=Drupal%20PCI%20White%20Paper) or join our [Drupal Developer program](http://info.townsendsecurity.com/developer-partner-request?utm_campaign=Drupal%20PCI%20White%20Paper&utm_source=Drupal%20PCI%20White%20Paper). 436 | 437 | [http://www.townsendsecurity.com](http://www.townsendsecurity.com) 438 | 439 | ### Hosted PCI 440 | 441 | ![](images/sponsors/logo-hosted-pci.png "Hosted PCI") 442 | 443 | HostedPCI eliminates the risk associated with handling credit cards by delivering state of the art transaction processing technology that achieves 100% Continuous PCI Compliance, quickly and painlessly. HostedPCI allows merchants of any size to guarantee total protection against credit card theft for their online checkout, call center and mobile transactions.. It’s fast & easy to implement, and extremely cost-effective compared to traditional methods. 444 | 445 | [http://www.hostedpci.com](http://www.hostedpci.com) 446 | 447 | ### Copperly 448 | 449 | ![](images/sponsors/logo-copperly.png "Copperly") 450 | 451 | Copperly educates businesses in the Drupal community and beyond about cost-effective credit card processing options. We work with businesses to identify the pricing model and implementation best suited to their needs. 452 | 453 | [http://www.copperly.com](http://www.copperly.com) 454 | 455 | ## References 456 | 457 | 1. [US Census Bureau News CB13-78](http://goo.gl/s6e7F) - http://goo.gl/s6e7F 458 | 2. [Global eCommerce sales will top $1.25 trillion by 2013](http://goo.gl/DlMff) - http://goo.gl/DlMff 459 | 3. [Introduction to the E-commerce & Internet Business](http://goo.gl/2uAoo) - http://goo.gl/2uAoo 460 | 4. [Drupal Usage trends](http://goo.gl/lEbTH) - http://goo.gl/lEbTH 461 | 5. [PCI DSS - Glossary of Terms, Abbreviations, and Acronyms](http://goo.gl/IE0Fb) - http://goo.gl/IE0Fb 462 | 6. [2010 Annual Study: U.S. Cost of a Data Breach](http://goo.gl/EoEp6) - http://goo.gl/EoEp6 463 | 7. [Heartland Data Breach: MasterCard, Visa Impose Hefty Fines](http://goo.gl/t0lQT) - http://goo.gl/t0lQT 464 | 8. [Data-breach costs take toll on Target profit](http://goo.gl/aKjIOI) - http://goo.gl/aKjIOI 465 | 9. [In Data Leaks, Culprits Often Are Mom, Pop](http://goo.gl/aGYbq) - http://goo.gl/aGYbq 466 | 10. [Sony PlayStation suffers massive data breach](http://goo.gl/Um5cE) - http://goo.gl/Um5cE 467 | 11. [Official PCI Security Standards Council Site](http://goo.gl/Z1lUr) - http://goo.gl/Z1lUr 468 | 12. [Approved Scanning Vendors](http://goo.gl/FzzH6) - http://goo.gl/FzzH6 469 | 13. [Navigation PCI DSS](http://goo.gl/H5jOK) - http://goo.gl/H5jOK 470 | 14. [New! More! A First Look at the PCI DSS 3.0 SAQs](http://goo.gl/YnjkJZ) - http://goo.gl/YnjkJZ 471 | 15. [Information Supplement: PCI DSS E-commerce Guidelines](http://goo.gl/R21rw) - http://goo.gl/R21rw 472 | 16. [Understanding the SAQs for PCI DSS v3.0](http://goo.gl/V8ZrVF) - http://goo.gl/V8ZrVF 473 | 17. [Version 3.0 Change Highlights](http://goo.gl/XDBzkz) - http://goo.gl/XDBzkz 474 | 18. [Summary of Changes from PCI DSS Version 2.0 to 3.0](http://goo.gl/7nR1Gt) - http://goo.gl/7nR1Gt 475 | 19. [Integrate Authorize.net (Hosted) CIM](http://goo.gl/rvOfz) - http://goo.gl/rvOfz 476 | 20. [Top 12 Drupal PCI Compliance Myths](http://goo.gl/phZcg1) - http://goo.gl/phZcg1 477 | 478 | ## Footnotes 479 | 480 | * A. If you qualify as a service provider (SP), you must be SAQ D-SP compliant and you must undergo a full ROC audit by a qualified QSA. Basically, services providers are treated the same as being Level 1, no matter how small of a hosting shop you are. 481 | * B. Be advised that a simple matter of handing transactions via fax, terminal, and email in addition to your Drupal site can and often will increase your CDE scope. 482 | * C. It should be noted that the stigma against hosted payment pages continues to fade away as it becomes a more common and accepted form of transaction, particularly in the EU. 483 | * D. Visit [http://www.visa.com/splisting](http://www.visa.com/splisting) to confirm whether or not a vendor is a valid Service Provider. 484 | 485 | ## Reviewers 486 | 487 | The authors of this paper would like to thank the following individuals for reviewing the paper and providing feedback to improve its accuracy and utility. In alphabetical order: Ryan Cross (rcross), Robert Douglass (robertdouglass), Trent Hein (thein), Michael Hess (mlhess), Dave Long (longwave), Alex Knoll (arknoll), Ryan Szrama (rszrama), Peter Wolanin (pwolanin). 488 | 489 | ## Appendix 490 | 491 | ### Additional Resources 492 | 493 | The following is a list of documents that can be found directly from the [Official PCI Security Standards Council Site](https://www.pcisecuritystandards.org/): 494 | 495 | * [PCI Standards - All Documents](http://goo.gl/sH1Jx) - http://goo.gl/sH1Jx 496 | * [Navigation PCI DSS](http://goo.gl/lpnno) - http://goo.gl/lpnno 497 | * [PCI DSS Quick Reference Guide](http://goo.gl/Z3UZ7) - http://goo.gl/Z3UZ7 498 | * [The Prioritized Approach to Pursue PCI DSS Compliance](http://goo.gl/SFZtL) - http://goo.gl/SFZtL 499 | * [Ten Common Myths of PCI SSC](http://goo.gl/TVtxS) - http://goo.gl/TVtxS 500 | * [PCI DSS Glossary of Terms, Abbreviations, and Acronyms](http://goo.gl/ab348) - http://goo.gl/ab348 501 | * [PCI Security Standards Council - Overview](http://goo.gl/rQbVs) - http://goo.gl/rQbVs 502 | * [PCI DSS Self-Assessment Questionnaire (SAQ) Instructions and Guidelines](http://goo.gl/RX0qZ) - http://goo.gl/RX0qZ 503 | * [PCI DSS SAQ C V2.0](http://goo.gl/HCvY1) - http://goo.gl/HCvY1 504 | 505 | ### Disclaimer 506 | 507 | The authors are not lawyers and the contents of this document do not constitute legal advice. The authors are not responsible or liable for any loss or damages you and/or your business may incur as a result of reading this document. Everyone’s PCI compliance needs will be unique to their specific configurations and business needs. It is up to the reader to due their own due diligence and keep up with the latest information found at the PCI Security Standards Council Site. 508 | 509 | ### License 510 | 511 | This document is Copyright 2013-2014 Rick Manelius, Greg Knaddison, and Ned McClain—CreativeCommons Attribution-No Derivative Works 3.0 Unported http://creativecommons.org/licenses/by-nd/3.0 http://drupalpcicompliance.org/. You may share and re-post the PDF on other sites without modification as long as you clearly link to http://drupalpcicompliance.org/. 512 | -------------------------------------------------------------------------------- /DrupalPCICompliance.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/DrupalPCICompliance.pdf -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | Creative Commons Legal Code 2 | 3 | Attribution-NoDerivs 3.0 Unported 4 | 5 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 6 | LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN 7 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 8 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 9 | REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR 10 | DAMAGES RESULTING FROM ITS USE. 11 | 12 | License 13 | 14 | THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE 15 | COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY 16 | COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS 17 | AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. 18 | 19 | BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE 20 | TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY 21 | BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS 22 | CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND 23 | CONDITIONS. 24 | 25 | 1. Definitions 26 | 27 | a. "Adaptation" means a work based upon the Work, or upon the Work and 28 | other pre-existing works, such as a translation, adaptation, 29 | derivative work, arrangement of music or other alterations of a 30 | literary or artistic work, or phonogram or performance and includes 31 | cinematographic adaptations or any other form in which the Work may be 32 | recast, transformed, or adapted including in any form recognizably 33 | derived from the original, except that a work that constitutes a 34 | Collection will not be considered an Adaptation for the purpose of 35 | this License. For the avoidance of doubt, where the Work is a musical 36 | work, performance or phonogram, the synchronization of the Work in 37 | timed-relation with a moving image ("synching") will be considered an 38 | Adaptation for the purpose of this License. 39 | b. "Collection" means a collection of literary or artistic works, such as 40 | encyclopedias and anthologies, or performances, phonograms or 41 | broadcasts, or other works or subject matter other than works listed 42 | in Section 1(f) below, which, by reason of the selection and 43 | arrangement of their contents, constitute intellectual creations, in 44 | which the Work is included in its entirety in unmodified form along 45 | with one or more other contributions, each constituting separate and 46 | independent works in themselves, which together are assembled into a 47 | collective whole. A work that constitutes a Collection will not be 48 | considered an Adaptation (as defined above) for the purposes of this 49 | License. 50 | c. "Distribute" means to make available to the public the original and 51 | copies of the Work through sale or other transfer of ownership. 52 | d. "Licensor" means the individual, individuals, entity or entities that 53 | offer(s) the Work under the terms of this License. 54 | e. "Original Author" means, in the case of a literary or artistic work, 55 | the individual, individuals, entity or entities who created the Work 56 | or if no individual or entity can be identified, the publisher; and in 57 | addition (i) in the case of a performance the actors, singers, 58 | musicians, dancers, and other persons who act, sing, deliver, declaim, 59 | play in, interpret or otherwise perform literary or artistic works or 60 | expressions of folklore; (ii) in the case of a phonogram the producer 61 | being the person or legal entity who first fixes the sounds of a 62 | performance or other sounds; and, (iii) in the case of broadcasts, the 63 | organization that transmits the broadcast. 64 | f. "Work" means the literary and/or artistic work offered under the terms 65 | of this License including without limitation any production in the 66 | literary, scientific and artistic domain, whatever may be the mode or 67 | form of its expression including digital form, such as a book, 68 | pamphlet and other writing; a lecture, address, sermon or other work 69 | of the same nature; a dramatic or dramatico-musical work; a 70 | choreographic work or entertainment in dumb show; a musical 71 | composition with or without words; a cinematographic work to which are 72 | assimilated works expressed by a process analogous to cinematography; 73 | a work of drawing, painting, architecture, sculpture, engraving or 74 | lithography; a photographic work to which are assimilated works 75 | expressed by a process analogous to photography; a work of applied 76 | art; an illustration, map, plan, sketch or three-dimensional work 77 | relative to geography, topography, architecture or science; a 78 | performance; a broadcast; a phonogram; a compilation of data to the 79 | extent it is protected as a copyrightable work; or a work performed by 80 | a variety or circus performer to the extent it is not otherwise 81 | considered a literary or artistic work. 82 | g. "You" means an individual or entity exercising rights under this 83 | License who has not previously violated the terms of this License with 84 | respect to the Work, or who has received express permission from the 85 | Licensor to exercise rights under this License despite a previous 86 | violation. 87 | h. "Publicly Perform" means to perform public recitations of the Work and 88 | to communicate to the public those public recitations, by any means or 89 | process, including by wire or wireless means or public digital 90 | performances; to make available to the public Works in such a way that 91 | members of the public may access these Works from a place and at a 92 | place individually chosen by them; to perform the Work to the public 93 | by any means or process and the communication to the public of the 94 | performances of the Work, including by public digital performance; to 95 | broadcast and rebroadcast the Work by any means including signs, 96 | sounds or images. 97 | i. "Reproduce" means to make copies of the Work by any means including 98 | without limitation by sound or visual recordings and the right of 99 | fixation and reproducing fixations of the Work, including storage of a 100 | protected performance or phonogram in digital form or other electronic 101 | medium. 102 | 103 | 2. Fair Dealing Rights. Nothing in this License is intended to reduce, 104 | limit, or restrict any uses free from copyright or rights arising from 105 | limitations or exceptions that are provided for in connection with the 106 | copyright protection under copyright law or other applicable laws. 107 | 108 | 3. License Grant. Subject to the terms and conditions of this License, 109 | Licensor hereby grants You a worldwide, royalty-free, non-exclusive, 110 | perpetual (for the duration of the applicable copyright) license to 111 | exercise the rights in the Work as stated below: 112 | 113 | a. to Reproduce the Work, to incorporate the Work into one or more 114 | Collections, and to Reproduce the Work as incorporated in the 115 | Collections; and, 116 | b. to Distribute and Publicly Perform the Work including as incorporated 117 | in Collections. 118 | c. For the avoidance of doubt: 119 | 120 | i. Non-waivable Compulsory License Schemes. In those jurisdictions in 121 | which the right to collect royalties through any statutory or 122 | compulsory licensing scheme cannot be waived, the Licensor 123 | reserves the exclusive right to collect such royalties for any 124 | exercise by You of the rights granted under this License; 125 | ii. Waivable Compulsory License Schemes. In those jurisdictions in 126 | which the right to collect royalties through any statutory or 127 | compulsory licensing scheme can be waived, the Licensor waives the 128 | exclusive right to collect such royalties for any exercise by You 129 | of the rights granted under this License; and, 130 | iii. Voluntary License Schemes. The Licensor waives the right to 131 | collect royalties, whether individually or, in the event that the 132 | Licensor is a member of a collecting society that administers 133 | voluntary licensing schemes, via that society, from any exercise 134 | by You of the rights granted under this License. 135 | 136 | The above rights may be exercised in all media and formats whether now 137 | known or hereafter devised. The above rights include the right to make 138 | such modifications as are technically necessary to exercise the rights in 139 | other media and formats, but otherwise you have no rights to make 140 | Adaptations. Subject to Section 8(f), all rights not expressly granted by 141 | Licensor are hereby reserved. 142 | 143 | 4. Restrictions. The license granted in Section 3 above is expressly made 144 | subject to and limited by the following restrictions: 145 | 146 | a. You may Distribute or Publicly Perform the Work only under the terms 147 | of this License. You must include a copy of, or the Uniform Resource 148 | Identifier (URI) for, this License with every copy of the Work You 149 | Distribute or Publicly Perform. You may not offer or impose any terms 150 | on the Work that restrict the terms of this License or the ability of 151 | the recipient of the Work to exercise the rights granted to that 152 | recipient under the terms of the License. You may not sublicense the 153 | Work. You must keep intact all notices that refer to this License and 154 | to the disclaimer of warranties with every copy of the Work You 155 | Distribute or Publicly Perform. When You Distribute or Publicly 156 | Perform the Work, You may not impose any effective technological 157 | measures on the Work that restrict the ability of a recipient of the 158 | Work from You to exercise the rights granted to that recipient under 159 | the terms of the License. This Section 4(a) applies to the Work as 160 | incorporated in a Collection, but this does not require the Collection 161 | apart from the Work itself to be made subject to the terms of this 162 | License. If You create a Collection, upon notice from any Licensor You 163 | must, to the extent practicable, remove from the Collection any credit 164 | as required by Section 4(b), as requested. 165 | b. If You Distribute, or Publicly Perform the Work or Collections, You 166 | must, unless a request has been made pursuant to Section 4(a), keep 167 | intact all copyright notices for the Work and provide, reasonable to 168 | the medium or means You are utilizing: (i) the name of the Original 169 | Author (or pseudonym, if applicable) if supplied, and/or if the 170 | Original Author and/or Licensor designate another party or parties 171 | (e.g., a sponsor institute, publishing entity, journal) for 172 | attribution ("Attribution Parties") in Licensor's copyright notice, 173 | terms of service or by other reasonable means, the name of such party 174 | or parties; (ii) the title of the Work if supplied; (iii) to the 175 | extent reasonably practicable, the URI, if any, that Licensor 176 | specifies to be associated with the Work, unless such URI does not 177 | refer to the copyright notice or licensing information for the Work. 178 | The credit required by this Section 4(b) may be implemented in any 179 | reasonable manner; provided, however, that in the case of a 180 | Collection, at a minimum such credit will appear, if a credit for all 181 | contributing authors of the Collection appears, then as part of these 182 | credits and in a manner at least as prominent as the credits for the 183 | other contributing authors. For the avoidance of doubt, You may only 184 | use the credit required by this Section for the purpose of attribution 185 | in the manner set out above and, by exercising Your rights under this 186 | License, You may not implicitly or explicitly assert or imply any 187 | connection with, sponsorship or endorsement by the Original Author, 188 | Licensor and/or Attribution Parties, as appropriate, of You or Your 189 | use of the Work, without the separate, express prior written 190 | permission of the Original Author, Licensor and/or Attribution 191 | Parties. 192 | c. Except as otherwise agreed in writing by the Licensor or as may be 193 | otherwise permitted by applicable law, if You Reproduce, Distribute or 194 | Publicly Perform the Work either by itself or as part of any 195 | Collections, You must not distort, mutilate, modify or take other 196 | derogatory action in relation to the Work which would be prejudicial 197 | to the Original Author's honor or reputation. 198 | 199 | 5. Representations, Warranties and Disclaimer 200 | 201 | UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR 202 | OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY 203 | KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, 204 | INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, 205 | FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF 206 | LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, 207 | WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION 208 | OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. 209 | 210 | 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE 211 | LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR 212 | ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES 213 | ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS 214 | BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 215 | 216 | 7. Termination 217 | 218 | a. This License and the rights granted hereunder will terminate 219 | automatically upon any breach by You of the terms of this License. 220 | Individuals or entities who have received Collections from You under 221 | this License, however, will not have their licenses terminated 222 | provided such individuals or entities remain in full compliance with 223 | those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any 224 | termination of this License. 225 | b. Subject to the above terms and conditions, the license granted here is 226 | perpetual (for the duration of the applicable copyright in the Work). 227 | Notwithstanding the above, Licensor reserves the right to release the 228 | Work under different license terms or to stop distributing the Work at 229 | any time; provided, however that any such election will not serve to 230 | withdraw this License (or any other license that has been, or is 231 | required to be, granted under the terms of this License), and this 232 | License will continue in full force and effect unless terminated as 233 | stated above. 234 | 235 | 8. Miscellaneous 236 | 237 | a. Each time You Distribute or Publicly Perform the Work or a Collection, 238 | the Licensor offers to the recipient a license to the Work on the same 239 | terms and conditions as the license granted to You under this License. 240 | b. If any provision of this License is invalid or unenforceable under 241 | applicable law, it shall not affect the validity or enforceability of 242 | the remainder of the terms of this License, and without further action 243 | by the parties to this agreement, such provision shall be reformed to 244 | the minimum extent necessary to make such provision valid and 245 | enforceable. 246 | c. No term or provision of this License shall be deemed waived and no 247 | breach consented to unless such waiver or consent shall be in writing 248 | and signed by the party to be charged with such waiver or consent. 249 | d. This License constitutes the entire agreement between the parties with 250 | respect to the Work licensed here. There are no understandings, 251 | agreements or representations with respect to the Work not specified 252 | here. Licensor shall not be bound by any additional provisions that 253 | may appear in any communication from You. This License may not be 254 | modified without the mutual written agreement of the Licensor and You. 255 | e. The rights granted under, and the subject matter referenced, in this 256 | License were drafted utilizing the terminology of the Berne Convention 257 | for the Protection of Literary and Artistic Works (as amended on 258 | September 28, 1979), the Rome Convention of 1961, the WIPO Copyright 259 | Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 260 | and the Universal Copyright Convention (as revised on July 24, 1971). 261 | These rights and subject matter take effect in the relevant 262 | jurisdiction in which the License terms are sought to be enforced 263 | according to the corresponding provisions of the implementation of 264 | those treaty provisions in the applicable national law. If the 265 | standard suite of rights granted under applicable copyright law 266 | includes additional rights not granted under this License, such 267 | additional rights are deemed to be included in the License; this 268 | License is not intended to restrict the license of any rights under 269 | applicable law. 270 | 271 | 272 | Creative Commons Notice 273 | 274 | Creative Commons is not a party to this License, and makes no warranty 275 | whatsoever in connection with the Work. Creative Commons will not be 276 | liable to You or any party on any legal theory for any damages 277 | whatsoever, including without limitation any general, special, 278 | incidental or consequential damages arising in connection to this 279 | license. Notwithstanding the foregoing two (2) sentences, if Creative 280 | Commons has expressly identified itself as the Licensor hereunder, it 281 | shall have all rights and obligations of Licensor. 282 | 283 | Except for the limited purpose of indicating to the public that the 284 | Work is licensed under the CCPL, Creative Commons does not authorize 285 | the use by either party of the trademark "Creative Commons" or any 286 | related trademark or logo of Creative Commons without the prior 287 | written consent of Creative Commons. Any permitted use will be in 288 | compliance with Creative Commons' then-current trademark usage 289 | guidelines, as may be published on its website or otherwise made 290 | available upon request from time to time. For the avoidance of doubt, 291 | this trademark restriction does not form part of this License. 292 | 293 | Creative Commons may be contacted at http://creativecommons.org/. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Drupal PCI Compliance White Paper 2 | =================== 3 | 4 | Visit the official [Drupal PCI Compliance website here](http://drupalpcicompliance.org/). 5 | 6 | ## Download 7 | 8 | [Download the Latest Version in PDF](http://drupalpcicompliance.org/files/DrupalPCICompliance.pdf) 9 | 10 | Alternatively, you can download, clone, or fork the project to get access to the markdown and HTML versions of this report. 11 | 12 | ## Motivation 13 | 14 | _This was part of the original proposal for this paper. It has been slightly modified to correct for things like tense, updated statistics, etc._ 15 | 16 | Drupal.org reports over 73,000+ active Ubercart and Drupal Commerce installations. With such a large and active portion of our community involved in eCommerce, one would expect an equal amount of effort and resources being applied towards helping these websites achieve the mandatory security standards set forth by the Payment Card Industry (PCI). 17 | 18 | Unfortunately, a definitive guide or comprehensive resources simply didn't exist. Instead, there were just a handful of articles, forum threads, and videos; most of these resources were fragmented, outdated, and riddled with inaccurate information. Worse yet, Google was reporting that there were only 100-200 keyword searches a month for “Drupal PCI compliance” and other variations. This was extremely low considering that PCI compliance typically takes months of time and resources to both research and implement. 19 | 20 | Failing to become PCI compliant exposes businesses to legal and financial liabilities. It can also exposes Drupal to PR issues, where a breach in security can easily lead to “Drupal is insecure” thinking. This should be a huge concern for the Drupal community as a whole, which prides itself in having a strong focus on security as well as one of the world’s most secure open source CMSs. 21 | 22 | The goal of this document is to help address the issues listed above and help everyone in the community with an eCommerce website understand and fulfill their PCI compliance obligations. 23 | 24 | ## Why we chose github flavored markdown for the source document. 25 | 26 | We wanted to make this document available in as many formats as possible to accommodate every possible audience and use case. Drupal modules may wish to include the github repo, markdown file, and/or html output for ease of use within a Drupal installation. Drupal evaluators may want a print copy that can be read our handed out. 27 | 28 | By starting with github flavored markdown, we can easily convert this document into HTML and PDF as needed. Also, markdown makes it easier to manage changes as this document evolves because issues can be filed on github and the git repo can store a full history of all the changes. 29 | 30 | ## Errata 31 | 32 | If you have discovered an error, have a suggestion, and/or want to provide constructive feedback on how to make this document better, please file an issue on the [github project page](https://github.com/rickmanelius/drupalpcicompliance/issues). 33 | -------------------------------------------------------------------------------- /images/figures/PCI-levels-visa-cardbrand-2013-06-10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/figures/PCI-levels-visa-cardbrand-2013-06-10.png -------------------------------------------------------------------------------- /images/figures/PCI-saq-breakdown.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/figures/PCI-saq-breakdown.png -------------------------------------------------------------------------------- /images/figures/PCI-typical-costs-per-saq-type.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/figures/PCI-typical-costs-per-saq-type.png -------------------------------------------------------------------------------- /images/graphics/druplicon-credit-card.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/graphics/druplicon-credit-card.png -------------------------------------------------------------------------------- /images/graphics/druplicon-credit-card.psd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/graphics/druplicon-credit-card.psd -------------------------------------------------------------------------------- /images/sponsors/logo-appliedtrust.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/sponsors/logo-appliedtrust.png -------------------------------------------------------------------------------- /images/sponsors/logo-card.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/sponsors/logo-card.png -------------------------------------------------------------------------------- /images/sponsors/logo-commerce-guys.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/sponsors/logo-commerce-guys.png -------------------------------------------------------------------------------- /images/sponsors/logo-copperly.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/sponsors/logo-copperly.png -------------------------------------------------------------------------------- /images/sponsors/logo-crossfunctional.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/sponsors/logo-crossfunctional.png -------------------------------------------------------------------------------- /images/sponsors/logo-hosted-pci.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/sponsors/logo-hosted-pci.png -------------------------------------------------------------------------------- /images/sponsors/logo-newmedia.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/sponsors/logo-newmedia.png -------------------------------------------------------------------------------- /images/sponsors/logo-townsend-security.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/DrupalSecurityTeam/drupalpcicompliance/060b6e0331d3c8f3ad21520c8d69040daf5dc066/images/sponsors/logo-townsend-security.png --------------------------------------------------------------------------------