Drupal PCI Compliance White Paper—Officially Released!

Quick links:

Seven months ago I posted a lengthy article regarding PCI Compliance for Drupal. It was an MVP of sorts (Minimum Viable Post). The goal was to test the waters to see if I could gain enough interest and support to justify spending the time to create a white paper to help bring clarity to a complex and misunderstood topic. 2000+ page views and 20+ comments later, I knew that I struck a chord with enough people to take the leap, and so here we are today with a delivered contribution back to the community.

Why should you care?

Every eCommerce website that accepts credit or debit card transactions has a contractual obligation to become and remain PCI compliant (with fines and penalties if you're not compliant if a security breach occurs). And while Drupal makes it trivial to spin up a basic eCommerce website, anecdotal evidence suggested that only a subset of the community was even aware of this requirement. A smaller subset of that recognized that it was a problem. And finally, an even smaller subset knew what to do in order to become compliant. Therefore, I believed we were facing three problems:

  1. A lack of awareness (of the requirements themselves).
  2. A lack of acknowledgement (of the importance of compliance).
  3. A lack of guidance (specific to Drupal community on how to meet the requirements).

In fact, I personally experienced all three stages. I had operated a Drupal eCommerce website for almost 2 years without knowing even the most basic fundamentals regarding PCI compliance. When the reality finally hit me, I was stressed to the max trying to figure this all out on my own because there were very few resources within the community. My hope is that this white paper is the very thing would have prevented me from getting into that mess into the first place!

Solving the Problems

Addressing the three problems was no easy task. If the paper was too technical, it would only be understood by developers and website owners would remain in the dark. However, making it too long and all encompassing would create a high barrier to entry with respect to people reading and understanding it. So we had to start off with some basic objectives:

We believe we've hit all of these goals. We sent the paper out to numerous reviewers (technical and otherwise) to make sure the information was not overly difficult to read. We created the document in markdown and provided instructions on conversion to markdown and pdf. We hosted the document on a public github repo and public facing website where anyone can download the report for free. We almost kept the document to 15 pages (20 pages isn't too bad!)

With respect to credibility, I was fortunate enough to enlist the help of two amazing co-authors: Greg Knaddison and Ned McClain. Greg is the Drupal Security team lead and author of Cracking Drupal. Ned is the co-owner and co-founder of AppliedTrust, a company that has extensive knowledge in both Drupal and security standards, such as PCI and HIPAA compliance. Both brought a tremendous amount of experience and domain knowledge that was critical in improving the accuracy or the report.

Given all that, I believe we achieved the goals we set out for and that this white paper will be a valuable resource to the Drupal eCommerce community.


This project easily took over a hundred hours (probably closer to two hundred) to put together on top of the time it took to learn all the nuances of PCI compliance in the first place. Therefore, in order to allot the time and still keep this information free, I reached out to several companies for sponsorship. I wanted to publically thank them one more time for supporting this project.

On Contributing

I started becoming active in the Drupal Community after being inspired by a DrupalCamp Colorado presentation by webchick in 2011 about the importance of giving back to the community. After that point, I definitely tried as best I could: I was active in the issue queues, I was attending meetups, and I was helping mentor new members of the community. However, I never felt like I was able to contribute something back of significance that compared to the Dave Reid's of the community (I mean the guy maintains over 50 modules!)

This project was very different. It was the first time where I felt I could contribute something back to the community that was unique. And while it has been a long, hard road, it has been both personally and professionally rewarding to see the impact it's already had on those that have read it. Needless to say, I'm excited to find the next Drupal project to continue contributing back to the community!

Tags: PCI compliance, Drupal, Drupal Planet
comments powered by Disqus