Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By wfx on
I'm interested in knowing what legal headaches some of you might have encountered after setting up an online store for someone and it got hacked. It seems that everyone wants a website and they want to set up a shop but no one wants to pay to have their site supported or secured. My personal feeling is that if you can't pay to have your site maintained then you shouldn't bother with an online store.
What do you think?
Do many of you have clients sign a contract that removes you of liability if their E-Commerce module gets hacked? I'd like some perspectives from seasoned freelancers.
Many thanks,
K.Webb
p.s. As topics often get discussed to death please point me in the direction of previous discussions if I missed some in my search.
Comments
Always assume that the site will get hacked
If you can keep the credit card numbers off your database, then it won’t be any more attractive than your regular Drupal site. We normally deploy e-commerce sites using a system such as Ubercart that allows you to collect payment using a third-party such as Paypal or Google Checkout. The process is swift, credit cards are accepted, the money is transferred immediately, and the liability is off your site.
Building an e-commerce site that stores credit card numbers in the database is a recipe for disaster unless you are 100% sure that you did everything you could to protect the data and the server, and follow the appropriate e-commerce laws, regulations and guidelines. For instance:
http://www.business.gov/business-law/online-business/
http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
http://www.owasp.org/index.php/Handling_E-Commerce_Payments
If your client is intending to deploy a system that fails to meet standards you SHOULD DEFINITELY GET A WAIVER OF LIABILITY for yourself, and written proof that you warned the client about the risks. Incidentally, I would recommend getting the waiver regardless, and bringing in a security specialist to take over the responsibility and handle the security discussions with the client.
I've seen people that can get into anything - some of these hackers are absolutely brilliant. Just recently Google announced that hackers got into the source code of its authentication algorithm (probably the most sensitive chunk of code in their entire operation.) For all practical purposes, NO SERVER is beyond being hacked, and unless you have all your bases 100% covered, it is healthy to assume that your site will be targeted and penetrated at some point.
I know that this opinion may seem gloomy, but I believe it to be realistic, good advice based on my field experience.
Thanks
I appreciate you taking the time to write and for your perspective, you've confirmed a lot of things I already suspected. I'll take your advice on using Paypal or Google Checkout as my payment options to shift liability away from my sites. Thanks again for your thoughts.