Drupal PCI Compliance White Paper: Update 5/5/2013

For context, click here to jump down to the reference links.

Where We Are

I'm pleased to announce the following:

• My co-authors and I have completed a rough draft of this white paper and we're actively refining it to get to a completed first draft.
• Ned McClain of Applied Trust has joined the project as a co-author. Ned's expertise and years of experience in this field has been an extremely valuable asset and this project will continue to benefit as a direct result of his input.
• A heartfelt thanks to Ryan Cross of CrossFunctional for becoming our latest project sponsor.
• The article that sparked this project (Let's Talk About PCI Compliance for Ubercart and Drupal Commerce) has crossed 2500 page views. This reinforces (at least to me) that there is a demand for more information on this subject matter.

Why PCI Compliance for Drupal Is More Important Than Ever

• The number of reported Ubercart/Drupal Commerce installations continues to grow rapidly.
• Many "silver bullet" strategies are not as bulletproof as you'd like to believe.
• A new version of the PCI standard will be released within a year and the requirements are only going to get more stringent.
• As companies become more distributed and adopt cloud-based solutions, it's important to define who is responsible (and liable) in the context of securing payments.
• Fully understanding this topic can give you and/or your business a competitive advantage in the Drupal ecommerce marketplace.

And perhaps the most important item—if you currently own, operate, or host an ecommerce website that is NOT compliant, you could be putting your business at risk.

Next Steps

This is a complex topic that requires a lot of time to check assumptions, distill a large volume of material down to the most important elements, and write it in a way that is understandable across several audiences within the community. Having nearly achieved a fully complete first draft, we are at the stage where we will need to iterate and refine it to ensure its one cohesive document and it has all the necessary components (most notably references, citations, and footnotes). We will then reach out to additional reviewers to get feedback from a wider audience. If all goes as planned, this feedback will only require us to make minor adjustments and we will have a clear path forward to a final release.

Sponsorship

There are still several gold and silver sponsorships available if you are willing and able to fund the remaining portions of this project. While a lot of progress has been made, I recall several personal (and painful) experiences submitting manuscripts to scientific journals only to find out that the quantity of revisions requested required rewriting a paper from scratch. Yes this can be disheartening, but it almost always resulted in a much better end product. Therefore, if you would like to become a sponsor, please reach out to me using the contact information at the official website for the white paper.

Thank you for your time and I look forward to contributing this work back to the community!

Reference

The following articles, posts, and websites describe the motivating factors for starting this project:

• Let's Talk About PCI Compliance for Ubercart and Drupal Commerce
• Proposal: Drupal PCI Compliance White Paper
• Drupal PCI Compliance White Paper (Official Website)