Let's Talk About PCI Compliance for Drupal
Drupal makes it incredibly easy to turn even the simplest website into a full fledged commerce solution. All you have to do is download a few modules, check a few boxes, and you’re up and running in no time!
Unfortunately, there’s a (big) catch.
Accepting credit/debit card payments online makes a website subject to the Payment Card Industry Data Security Standard (PCI DSS). This maze of policies, procedures, and responsibilities can seem overwhelming and expensive, leading many to give up and/or question whether it’s worth trying to become compliant. However, ignoring one’s responsibilities can increase the odds of a security breach, which can have the following (severe) consequences:
- Financial: hefty penalties per compromised record.
- Public Relations: damaged reputation, loss of trust, loss of future customers.
- Legal: lawsuits.
Fortunately, it doesn’t have to be this way.
The time it takes to become PCI compliant can be reduced from months to minutes (this is not an exaggeration) by selecting the right modules and configuring them properly. And for websites with requirements that prevent these solutions from being used, it’s definitely possible to achieve and maintain compliance. It simply takes the correct knowledge and the willingness to make it happen. Having been through this painful learning curve myself, my goal is to convey the knowledge I’ve learned over the past 4 years and inspire you to take action on it.
Who Should Attend?
This talk is geared towards a diverse audience: developers, Drupal shops, and companies evaluating Drupal for their eCommerce solution. After all, each group shares the responsibility of ensuring that payments are handled securely.
What Will Be Covered?
During this session, we will:
- Give a high level overview of the PCI DSS standard.
- Dispel a few myths.
- Outline basic do’s and don’ts.
- Discuss strategies that can significantly reduce your PCI responsibilities.
- Compare the ease of achieving compliance on Drupal Commerce versus Ubercart versus other payment methods.
Comments
greggmarshall replied on Permalink
What a great idea for a seminar! Having worked in an industry that went through a PCI compliance phase, I was amazed how big the "fines" the credit card companies can assess if you aren't PCI compliant. And I am guessing a large number of e-commerce sites are not PCI compliant. I wonder if the web developer has any liability if the site isn't?
ryanblyth replied on Permalink
Sounds good! It's easy enough to get a cart up and going, but I know there is more to it than that to do it right. I'd love to learn some the PCI Compliance dirty details, especially the modules and configuration that can reduce compliance down to a few minutes.
ktlynn replied on Permalink
Looking forward to hearing more about this! Just as we learned from Commerce Guys last year, 'recurring billing is hard, hard, hard,' PCI Compliance can be a tricky beast not only in terms of development but also in terms of client expectations and understanding. The more we can know about compliance, its complexities, and our options, the better we can serve our clients while simultaneously mitigating our risk.
robertDouglass replied on Permalink
News flash - this guy knows his stuff. This topic is mega important and has never really been talked about at DrupalCons (afaik). +1 for PCI compliance.
databoy replied on Permalink
I've heard the presenter speak, and he knows his stuff! Looking forward to this!