Proposal: Drupal PCI Compliance White Paper

UPDATE: A white paper on Drupal PCI compliance is actively being worked on. Please visit the official website for more details.

In refererence to the loss of undocumented wisdom, Andrew Carnegie once stated that “it was one of the sins of the ages that this knowledge, gained at such a tremendous price, by so many men, was buried with their bones when they died. Nobody had ever organized it into a philosophy and made it available to the man of the street.”

I feel the exact same way when I think about the number Drupal developers that have suffered through the long, hard journey of achieving and maintaining PCI compliance for ecommerce websites. With over 67,000+ active Ubercart and Drupal Commerce websites (as reported by, one might assume there would be an abundance of quality resources out there (articles, blog posts, youtube videos, etc) to help others speed through this torturous learning curve.

Unfortunately, I didn't believe such a resource existed that was specifically tailored to the Drupal community. This inspired me to write a somehwat lengthy article to start that conversation. It touched on a lot of the major pain points, provided the pros and cons of each solution, and it also contained an aggregated list of resources that I had found over the last several years. The feedback was incredible. It had clearly struck a chord with a lot of developers and sparked a conversation.

The Next Step

In that article I had pitched the idea of taking it a step further and creating a white paper that was similar in form the Drupal Security Report. My intention was to go beyond a simple article and create something more definitive. I want to create a quality document that any developer or evaluator could read in a single sitting and get a solid high level overview of the issues at hand. And if it helps the next 67,000+ Drupal e-commerce sites achieve and maintain their PCI compliance, I’ll consider this a huge success!

The Proposal

Without further ado, you can access the proposal document here, which is the domain that will ultimately host this document as well as any future versions. My goal is to have this completed sometime before DrupalCon Portland, where I’m also submitting a session to give a talk on this same subject matter.

The Ask

A technical document of this type can take a lot of time to create and a lot of extra help to review it to ensure that all the technical information is sourced and as accurate as possible. Therefore you’ll see that I’m seeking volunteers (to help with the feedback/review process) and a modest level of sponsorship (to help move this project alone).

And as always, feel free to leave a (helpful) comment/suggestion below!

Tags: Drupal Planet, Drupal, PCI compliance
comments powered by Disqus