Comparing PCI Compliance Considerations Among Ubercart and Drupal Commerce Payment Gateways
Selecting an appropriate payment gateway is one of the most important choices to make when designing, building, and maintaining an eCommerce website powered by Drupal. Choose poorly and the out-of-the-box feature set may not fit all of the project's needs (e.g. "where's the recurring billing option?") or may not be possible at all (e.g. "where can I charge my customer's card for a future purchase?"). The payment gateway choice will also greatly impact the resources required (in terms of time, money, and expertise) to sufficiently secure the credit card transactions in order to achieve and maintain PCI compliance.
As a Drupal developer trying to wow clients with amazing out-of-the-box features, it can be tempting to focus on functionality over security. However, one of my biggest concerns for those selecting Ubercart as their eCommerce solution is its lack of available payment gateways that can achieve a clients desired feature set while still being able to reduce one's PCI compliance woes. The goal of this article is to encourage everyone to select a shared-management gateway solution (defined and described below) and to highlight that Drupal Commerce has more of these types of gateways available.
Payment Gateway Types
The Payment Card Industry (PCI) groups payment gateways into three basic types: merchant-managed, shared-management, and wholly outsourced. I'll explain each of them in reverse order.
Wholly Outsourced
In this implementation, the eCommerce platform is entirely hosted, managed, and secured by a 3rd party vendor that explicitly assumes the PCI responsibilities to secure the credit card payment process. Examples include: Bigcommerce, Volusions, etc. The only Drupal specific example I know of that that could fit this criteria would be Drupal Gardens using Cashie or Paypal.
Shared-management
In this implementation, the shopping cart experience begins on a Drupal site and the credit card payment is submitted directly to the payment gateway by one of three types of methods:
- Hosted Payment Page (HPP). This involves redirecting a customer to your payment processor's website where they enter their payment information directly on the payment gateway's servers. Once the transaction is successful, the customer is redirected back to the Drupal site to an order confirmation page with an authorization code so that Drupal knows the payment went through.
- Direct Post. This is essentially a slight of hand in which the credit card form on a Drupal site is modified such the credit card details are posted (through an HTML post over HTTPS) directly to the payment processor instead of being submitting to the Drupal Form API . Once the payment is approved, the payment gateway sends a one-time verification token back to the customer, which is then processed through Drupal Form API and sent back to the payment gateway. The token is used simply so that Drupal can verify that the payment was accepted.
- iFrame. This is essentially a combination of the above two methods. Here the credit card form is embedded on the checkout pane through an iframe. Therefore the form, being hosted on the payment processor's server, receives the credit card data directly and returns a token that can then processed through Drupal to charge and/or verify a payment with the payment gateway.
Merchant-Managed
In a merchant-managed implementation, the credit card information is submitted directly back to a Drupal site through the form API. Drupal then processes and transmits the card data to the payment processor and receives a response code to let it know where the payment succeeded or failed.
PCI Compliance Considerations
Choosing a merchant-managed solution is the most risky because you assume more of the responsibility and liability in securing the entire credit card transaction process. Choosing a wholly outsourced solution is perhaps the most restrictive because you essentially lose all the benefits of using a flexible and feature rich CMS like Drupal.
Shared-management solutions are the balance point between these two extremes. They allow one to leverage most of the flexibility and functionality of Drupal while significantly reducing the amount of time, effort, and resources required to achieve and maintain PCI compliance.
Comparing Ubercart and Drupal Commerce Payment Gateways
At first I wanted to create an exhaustive list of every payment gateway, but I decided to focus on a subset to simply illustrate the point. If I have neglected any gateways that would paint a different picture, please be sure to alert me in the comments section and I will correct these tables.
Here a the breakdown of several payment gateway options for Drupal Commerce:
| Gateway | Merchant Managed | Direct Post | HPP | iframe |
|---|---|---|---|---|
| Authorize.net ARB | X | |||
| Authorize.net CIM | X | |||
| Authorize.net DPM/SIM | X | X | ||
| Authorize.net Hosted CIM | NA | |||
| Braintree | X | |||
| Hosted PCI | X | |||
| Paypal WPS | X | |||
| Paypal PPA | X | X | ||
| Stripe | X |
And here is a similar breakdown for Ubercart.
| Gateway | Merchant Managed | Direct Post | HPP | iframe |
|---|---|---|---|---|
| Authorize.net ARB | X | |||
| Authorize.net CIM | X | |||
| Authorize.net DPM/SIM | X | X | ||
| Authorize.net Hosted CIM | NA | |||
| Braintree | NA | |||
| Hosted PCI | NA | |||
| Paypal WPS | X | |||
| Stripe | NA |
Sadly almost every (available) shared-management implementation for Ubercart involves a redirect to a hosted page, which clients in the United States are usually resistant towards because they dislike not being able to keep the client on site during the entire checkout process (sidenote: citizens of the EU tend to be much more accepting of hosted payment pages, so this stigma against HPP's is not necessarily going to persist). Thankfully there is at least one known direct post method (Authorize.net DPM) for Ubercart, but this option cannot be used in conjunction with card on file or recurring billing capabilities. As for including iframe implementations, such as Authorize.net Hosted CIM, it's already been ruled out as unlikely to happen for Ubercart.
By comparison, Drupal Commerce has several different options with respect to companies offering shared-management implementation (Stripe, Braintree, Hosted PCI) and actually offers an iframe option (Hosted PCI). The Drupal Commerce community is also very active and growing while Ubercart's community will likely hit end-of-life in the next year.
Author's Note: I know there are many many more Ubercart payment gateway modules out there, but many of them are deprecated, have fewer than 50 users, and/or are unmaintained.
Summary
- Selecting the right payment gateway is not a decision that should be made lightly.
- Shared-management gateways tend to offer the best balance of features and ease of achieving/maintaining PCI compliance.
- Drupal Commerce offers more shared-managment solutions, both in terms of the quantity of companies to select from as well as the diversity in the types of implementations.
To learn more, please read my previous article (Let's Talk About PCI Compliance for Ubercart and Drupal Commerce) and stay tuned for the PCI compliance white paper that should be ready in a few short weeks!
comments powered by Disqus