I don't know anything about security or standards or PCI compliance. Thus, forgive me for my ignorance.

A client has asked us if Drupal Commerce Complies with PCI DSS standards.

If so how what practices does drupal commerce do in order to comply to these standards?

Or am i barking up the wrong tree? Is PCI compliance primarily a IT issue over software concerns?

Comments

rszrama’s picture

Status: Active » Fixed

The primary thing is that Drupal Commerce does not retain CC data at all. It's immediately transmitted to the payment gateway upon checkout form submission. There's much more to PCI compliance, though, including the full software / hardware stack and processes / administrator logging and the like. Up to a certain transaction volume, I believe you can self-certify, but the easiest course of action will always be to use a redirected payment method (or a gateway w/ some sort of "tokenization" system they call it) - if you don't take payment data in through your domain, you're not responsible for it.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

rickmanelius’s picture

Hi chrisjlee,

I've also been on this journey of understanding all the ramifications of PCI compliance for Ubercart and Drupal Commece. I ended up writing an overview article because I've had to explain this time and time again to clients and colleagues. While it's not perfect and it needs to be more detailed, I'm posting in here because many others have found it to be a helpful overview.

http://soundpostmedia.com/article/lets-talk-about-pci-compliance-ubercar...

rickmanelius’s picture

Issue summary: View changes

For anyone else landing on this thread, a lot has happened in the past few years. There is a community supported white paper on the subject http://drupalpcicompliance.org. If you have any questions or note any errors, please submit an issue at the github project (https://github.com/rickmanelius/drupalpcicompliance/issues). Thanks in advance!