E-Commerce Sites and PCI Compliance
I'm a pretty paranoid person in general, so I'm hypersensitive to topics related to risk and prevention. I always wear my seatbelt. I tear up my unused checks. I cut the cords on our window blinds to prevent choking. Being in the web design field, one of my greatest fears is messing up a client's site in a way that causes loss of security and/or loss of money.
So when I recently listened to a podcast on financial security and the fines for non compliance, I was all ears. The subject of the podcast was PCI compliance. PCI (Payment Card Industry) compliance affects anyone who is using credit card transactions on their website (even if you are using PayPal... so keep reading).
When consumers make a purchase through a website using a credit card, they assume that their data is protected.
We see in the news that hacks can happen and credit card numbers get stolen but we expect companies to make every effort to protect our information. Without PCI compliance, credit card information is vulnerable. What happens if consumer data is stolen and PCI compliance is not up to par? There can be thousands of dollars of fines, future audit requirements to confirm PCI compliance ($$expensive$$), and loss of brand trust for the company (not to mention the web company that built the site).
When creating an e-commerce site project, who should be taking the initial step to protect consumer data? Is that the responsibility of the web design company who is constructing the site? Or is it the responsibility of the company to whom the site belongs? The answer is both of them. Worst case scenario is neither.
Why a Company Should Know PCI Compliance:
Essentially if anything is missed or found to be negligent, you open yourself to liability that results in a lot of fines. Even if a breach is a result of a poorly constructed site, it's the company to whom the site belongs that is liable for those fines.
If you use a third party service to process your card transactions (like PayPal or Square), this can take care of a lot of your compliance needs but you need to make sure that the service is PCI compliant as well. You also need to make sure the your site is PCI compliant, even if it's not technically e-Commerce. Just having a link to Paypal makes you eligible for PCI compliance so know what you are doing. Check out the PCI SAQ's (Self Assessment Questionnaire) to find out specifically what type of compliance areas you are responsible for.
Why a Web Firm Should Know PCI Compliance:
When a client comes to a web firm, they often assume that the company knows every aspect of their project and the security risks associated. They may not even mention (or know) that they need a site that is PCI compliant. Make sure you are asking the questions. While Drupal has a ton of security features that make it a great option for e-Commerce, using Drupal alone does not guarantee PCI compliance.
PCI compliance is not just about technical security, but the processing of the information. If a company is not familiar with PCI compliance, they may create a procedure that is inherently vulnerable, regardless of the great security features of their site. If their site is hacked, the company who created the site may suffer some reputation damage (regardless of whether or not they were the reason for the breach). Even hosting options (like the Cloud) can fall outside of PCI guidelines.
PCI compliance is not a sexy topic for anyone so trying to find an expert in the Drupal community is not easy. Rick Manelius is the guy to listen to. A great resource that Rick created specifically to help Drupal developers working with e-Commerce sites is his Drupal Compliance White Paper. A very readable resource, this paper covers the basics of PCI compliance that companies and developers need to know to protect their own liability. Also, check out his post on Ubercart and Drupal Commerce; he has a great section entitled Myths About PCI Compliance within Drupal.
In short, ignoring PCI compliance is a lot like ignoring your seatbelt. You may never get into a crash, but if you do it is sure to mess you up.
Resources:
Drupal Compliance PCI White Paper
Download a Quick Reference Guide from PSI Security Standards
10 Tips for eCommerce on Drupal
Photo credit goes to Mr. Tallahassee.