Comparing PCI Compliance Considerations Among Ubercart and Drupal Commerce Payment Gateways

Selecting an appropriate payment gateway is one of the most important choices to make when designing, building, and maintaining an eCommerce website powered by Drupal. Choose poorly and the out-of-the-box feature set may not fit all of the project's needs (e.g. "where's the recurring billing option?") or may not be possible at all (e.g. "where can I charge my customer's card for a future purchase?"). The payment gateway choice will also greatly impact the resources required (in terms of time, money, and expertise) to sufficiently secure the credit card transactions in order to achieve and maintain PCI compliance.

As a Drupal developer trying to wow clients with amazing out-of-the-box features, it can be tempting to focus on functionality over security. However, one of my biggest concerns for those selecting Ubercart as their eCommerce solution is its lack of available payment gateways that can achieve a clients desired feature set while still being able to reduce one's PCI compliance woes. The goal of this article is to encourage everyone to select a shared-management gateway solution (defined and described below) and to highlight that Drupal Commerce has more of these types of gateways available.

Payment Gateway Types

The Payment Card Industry (PCI) groups payment gateways into three basic types: merchant-managed, shared-management, and wholly outsourced. I'll explain each of them in reverse order.

Wholly Outsourced

In this implementation, the eCommerce platform is entirely hosted, managed, and secured by a 3rd party vendor that explicitly assumes the PCI responsibilities to secure the credit card payment process. Examples include: Bigcommerce, Volusions, etc. The only Drupal specific example I know of that that could fit this criteria would be Drupal Gardens using Cashie or Paypal


In this implementation, the shopping cart experience begins on a Drupal site and the credit card payment is submitted directly to the payment gateway by one of three types of methods:


In a merchant-managed implementation, the credit card information is submitted directly back to a Drupal site through the form API. Drupal then processes and transmits the card data to the payment processor and receives a response code to let it know where the payment succeeded or failed.

PCI Compliance Considerations

Choosing a merchant-managed solution is the most risky because you assume more of the responsibility and liability in securing the entire credit card transaction process. Choosing a wholly outsourced solution is perhaps the most restrictive because you essentially lose all the benefits of using a flexible and feature rich CMS like Drupal.

Shared-management solutions are the balance point between these two extremes. They allow one to leverage most of the flexibility and functionality of Drupal while significantly reducing the amount of time, effort, and resources required to achieve and maintain PCI compliance.

Comparing Ubercart and Drupal Commerce Payment Gateways

At first I wanted to create an exhaustive list of every payment gateway, but I decided to focus on a subset to simply illustrate the point. If I have neglected any gateways that would paint a different picture, please be sure to alert me in the comments section and I will correct these tables.

Here a the breakdown of several payment gateway options for Drupal Commerce:

Gateway Merchant Managed Direct Post HPP iframe ARB X CIM X DPM/SIM   X X Hosted CIM       NA
Braintree   X    
Hosted PCI       X
Paypal WPS     X  
Paypal PPA     X X
Stripe   X    

And here is a similar breakdown for Ubercart.

Gateway Merchant Managed Direct Post HPP iframe ARB X CIM X DPM/SIM   X X Hosted CIM       NA
Braintree   NA    
Hosted PCI       NA
Paypal WPS     X  
Stripe   NA    

Sadly almost every (available) shared-management implementation for Ubercart involves a redirect to a hosted page, which clients in the United States are usually resistant towards because they dislike not being able to keep the client on site during the entire checkout process (sidenote: citizens of the EU tend to be much more accepting of hosted payment pages, so this stigma against HPP's is not necessarily going to persist). Thankfully there is at least one known direct post method ( DPM) for Ubercart, but this option cannot be used in conjunction with card on file or recurring billing capabilities. As for including iframe implementations, such as Hosted CIM, it's already been ruled out as unlikely to happen for Ubercart.

By comparison, Drupal Commerce has several different options with respect to companies offering shared-management implementation (Stripe, Braintree, Hosted PCI) and actually offers an iframe option (Hosted PCI). The Drupal Commerce community is also very active and growing while Ubercart's community will likely hit end-of-life in the next year.

Author's Note: I know there are many many more Ubercart payment gateway modules out there, but many of them are deprecated, have fewer than 50 users, and/or are unmaintained.


To learn more, please read my previous article (Let's Talk About PCI Compliance for Ubercart and Drupal Commerce) and stay tuned for the PCI compliance white paper that should be ready in a few short weeks!

Tags: Drupal Planet, PCI compliance
comments powered by Disqus