PCI Compliance: Myths, Mayhem, and the Mandatory Responsibility of Protecting Customer Credit Card Data

Speakers: 
rickmanelius

Adobe, Target, JC Penny, Heartland, etc—In the past few years, we’ve seen the pain brought on by large companies experiencing major security breaches: millions of credit card records stolen, damaging headlines in the news, customer confidence lost, and bottom line losses of up to $200 per stolen customer record (1). Yes, security breaches where sensitive data is compromised can a hurt… a lot.

Drupal is Not Immune to These Types of Attacks

The Drupal websites that we build may not be as large as Adobe.com (yet!), but the fact is that 85% of all breaches involving sensitive data came from small and medium sizes businesses. And with Drupal’s growth over the past decade being nothing short of phenomenal (evidence being that we’ve topped over a million registered drupal.org users, that we over 2% of all websites in the world are powered Drupal, and that we have over 80,000 reported installation of Drupal’s most popular eCommerce shopping cart solution), we will only become a bigger target. If we want to protect Drupal’s reputation for being a secure, world-class CMS with eCommerce capabilities, we will need to up our security standards and practices.

The Good (and Bad) News

The Payment Card Industry Data Security Standard (PCI-DSS) is a set of mandatory merchant requirements that, when properly understood and implemented, can improve the security of a website (and supporting infrastructure) that is handling credit card payments. The good news is that these requirements are extraordinarily detailed and adhere to many security best practices that we should all strive to learn and implement across the board. The bad news is that, despite the abundance of information provided on the topic, a considerable portion of the Drupal community is unaware of what PCI compliance is, why they should care, and how to actually achieve and maintain compliance for the websites we build and maintain.

Goals of this Session

This session aims to be educational and practical. At a minimum, the following will be addressed:

  • PCI Compliance 101: what it is, why you should care, and why it’s mandatory.
  • Drupal PCI compliance myths and misunderstandings.
  • Why you should never, never, EVER store credit card numbers on a Drupal site.
  • Payment gateway types, how they work, and the benefits/risks associated with each.
  • PCI compliance resources and recommendations on how to get started.

    • The inspiration for this work was based on years of “doing it wrong.” After a near panic attack and a 2+ month journey to learn about and achieve compliance for a large client, I had a strong desire to help others in Drupal community so they would not fall into the same trap. With the help of two amazing collaborators (Greg Knaddison and Ned McClain) and a handful of sponsors, a white paper on this topic was produced.

    This session goes beyond the paper with new material, additional details, and more examples.

    References

    1. 2010 Annual Study: U.S. Cost of a Data Breach
    Schedule info
    Track: 
    Site Building
    Experience level: 
    Intermediate
    Drupal Version: 
    Drupal 7.x