Closed (fixed)
Project:
Commerce Core
Version:
7.x-1.x-dev
Component:
Documentation
Priority:
Normal
Category:
Support request
Assigned:
Unassigned
Reporter:
Created:
27 Jan 2012 at 16:39 UTC
Updated:
9 Mar 2015 at 15:31 UTC
Jump to comment: Most recent
Comments
Comment #1
rszrama commentedThe primary thing is that Drupal Commerce does not retain CC data at all. It's immediately transmitted to the payment gateway upon checkout form submission. There's much more to PCI compliance, though, including the full software / hardware stack and processes / administrator logging and the like. Up to a certain transaction volume, I believe you can self-certify, but the easiest course of action will always be to use a redirected payment method (or a gateway w/ some sort of "tokenization" system they call it) - if you don't take payment data in through your domain, you're not responsible for it.
Comment #3
rickmanelius commentedHi chrisjlee,
I've also been on this journey of understanding all the ramifications of PCI compliance for Ubercart and Drupal Commece. I ended up writing an overview article because I've had to explain this time and time again to clients and colleagues. While it's not perfect and it needs to be more detailed, I'm posting in here because many others have found it to be a helpful overview.
http://soundpostmedia.com/article/lets-talk-about-pci-compliance-ubercar...
Comment #4
rickmanelius commentedFor anyone else landing on this thread, a lot has happened in the past few years. There is a community supported white paper on the subject http://drupalpcicompliance.org. If you have any questions or note any errors, please submit an issue at the github project (https://github.com/rickmanelius/drupalpcicompliance/issues). Thanks in advance!