These are the slides taken from the Commerce Guys webinar on PCI compliance for Drupal (recorded on 11/14/2013). You can watch the video recording at the following link: http://commerceguys.com/webinars/archive/pci-compliance-drupal Original webinar description below: You’re taking payments online, so you must be PCI Compliant, right? How do you know? Drupal.org reports over 80,000+ active Ubercart and Drupal Commerce installations. That’s great news! With such a large and active portion of our community involved in eCommerce, effort and resources must go toward helping these websites achieve the mandatory security standards set forth by the Payment Card Industry (PCI). In the past, a definitive guide or comprehensive resource simply didn’t exist. Information seekers could find a handful of articles, forum threads, and videos; but most of these resources were fragmented, outdated, and might have contained inaccurate information...Not a good thing when failing to become PCI compliant exposes businesses to legal and financial liabilities. That’s why we’ve invited Rick Manelius to our next Commerce Guys webinar. He’s one of the authors of a new report on PCI compliance, focused specifically on Drupal. The report was created as a means to help Drupal shops, developers, and customers understand their PCI compliance responsibilities.. and discover the steps to achieving full compliance. He’ll be joined by Robert Douglass, a long time Drupal contributor and Director of Product Operations for Commerce Guys. Together they’ll present a very open and honest view of the eCommerce landscape for Drupal and lend valuable insight for companies looking to achieve success…and security...when taking payments online.

1. Let's Talk About PCI
Compliance for Drupal
Rick Manelius, PhD
@rickmanelius

2. Overview
•
•
•
Why (should I care)?
What (exactly is this PCI compliance thing)?
How (do I get started)?

3. Why?

4. My Story
•
•
•
From great success to sheer panic.
You’ll experience something similar at some point.
The 5 Stages of PCI Compliance Grief
•
•
•
•
•
Denial (“That doesn’t pertain to me.”)
Anger (“WTF! Why didn’t someone tell me?”)
Bargaining (“I’m more secure than others.”)
Depression (“This is going to be so hard…”)
Acceptance (“Alright, let’s do this!”)

5. Why? It’s In the News

6. You’ve Got Mail!

7. Security Breaches Hurt
•
•
•
•
•
•
•
Adobe - 2.9 million customer records.
Sony Playstation Network - $77 Million.
JC Penny - 650,000 records.
Ubercart with custom module (3)
$25-$215 / Breached Record. (1)
Small merchants — 80+% of breaches. (2)
One strike rule for PCI Level.
1. 2010 Annual Study: U.S. Cost of a Data Breach (symantec.com)
2. In Data Leaks, Culprits Often Are Mom (Online Wall Street Journal)

8. PCI Compliance is Mandatory
•
•
•
•
•
Golden Rule
Contractual
Privilege
It can be revoked
One strike rule

9. My Goals
•
•
World Class eCommerce Platform => Set the Standard
4 Stages of Mastery
1. Unconscious Incompetence
2. Conscious Incompetence
3. Conscious Competence
4. Unconscious Competence
•
•
•
I believe the Drupal community is primarily at 1-2.
At the very least, we need to get to 2 (awareness).
Ideally 90+% of Drupal eCommerce sites get to 3.

10. Drupal PCI Compliance White Paper
•
•
•
•
•
•
http://drupalpcicompliance.org
Co-authors:
•
•
Greg Knaddison (Head of Drupal Security Team)
Ned McClain (QSA at Applied Trust)
Readable in less than an hour.
Target audiences: developers, shops, & evaluators.
Drupal specific information.
Goes well beyond the information in this talk.

11. Sponsors

12. What?

13. The Journey of a Credit Card
•
•
•
•
•
•
•
•
User’s browser
Internet
Hosting Network
Server
LAMP Stack
Drupal App
Payment Gateway
Merchant Service Provider

14. Holistic Approach
•
•
•
•
Card Data Environment (CDE)
Everything that can touch the card falls into CDE.
Security (& trust) is as strong as the weakest link.
Need a policy to ensure end to end security.

15. PCI-DSS
•
•
•
•
PCI = Payment Card Industry
DSS = Data Security Standard
12 requirements (aka the dirty dozen)
We will (quickly) go through them.

16. PCI Data Security Standard
•
•
•
•
1. Install and Maintain a Firewall
•
5. Use and regularly update anti-virus software or
programs
•
6. Develop and maintain secure systems and
applications
2. Do Not Use Vendor Supplied Default Passwords
3. Protect Stored Data
4. Encrypt transmission of cardholder data across
open, public networks

17. PCI Data Security Standard
•
7. Restrict access to cardholder data by business
need-to-know
•
8. Assign a unique ID to each person with
computer access
•
•
9. Restrict physical access to cardholder data
•
•
11. Regularly test security systems and processes
10. Track and monitor all access to network
resources and cardholder data
12. Maintain a policy that addresses information
security for all personnel

18. PCI Data Security Standard
•
•
288 total checklist items.
The number of items an eCommerce site is
responsible for depends on how its structured!

19. How?

20. So... Where Do I Start?
•
•
•
Key Factors: Volume & Validation Type.
Volume determines PCI Level (1, 2, 3, or 4)
Validation type determines SAQ (A, B, C, C-VT, D)
•
•
SAQ = Self Assessment Questionnaires
Provides checklist for 12 requirements.

21. Volume
!
!
!
!
!
!
!
•
Reported Breach = Automatic Level 1

22. Validation Type
•
•
(i.e. method by which you accept payment)
A, C, and D are the most relevant for eCommerce.

23. Validation Type (English Please!)
•
•
•
SAQ A: Fully outsourced handling of sensitive data.
SAQ C: “Standard” eCommerce setup.
SAC D: Storing sensitive data.

24. Determining Your SAQ
•
•
Largely a function of payment method.
3 types of payment methods:
•
•
•
Wholly Outsourced
Shared-Management
Merchant Managed

25. Determining Your SAQ
•
•
Largely a function of payment method.
3 types of payment methods:
•
•
•
Wholly Outsourced
Shared-Management
Merchant Managed

26. Wholly Outsourced: SAQ A
•
Sensitive data is completely handled by another
vendor.
•
•
Examples: Volusions, Big Commerce, etc.
Grey area for Drupal payment gateways (more on
this later).

27. Merchant Managed: SAQ C/D
•
Drupal application processes and transmits credit
card data to the payment gateway.
•
If you store cards, you’re SAQ D (dangerous!)
•
Do not do this unless you absolutely, positively
know what you’re doing.

28. Shared Management: SAQ A/C
•
•
•
•
Three Types
•
•
•
Hosted Payment Page
Direct Post
iFrame
Often advertised as SAQ A.
PCI Council outlines vulnerabilities.
Consider these an “easier SAQ C”.

29. Hosted Payment Pages
•
Image courtesy of authorize.net

30. Direct Post
•
Image courtesy of authorize.net

31. iFrame
•
Basically direct post with the additional security of
an iframe surrounding the form element.
•
Protects from JS attacks from the parent DOM.

32. Attacking Shared-Management
•
•
•
•
Direct Post (Stripe, Braintree, etc)
•
JS Keylogger.
Hosted Payment Page (Paypal, etc)
•
Redirecting to a spoof site.
iframe (Auth.net hosted CIM, Hosted PCI)
•
Replace the iframe.
While still vulnerable, shared-management
solutions are considerably less risky than merchant
managed solutions!

33. SAQ Breakdown
•
•
•
•
•
Merchant Managed - SAQ C/D
Shared-Management - SAQ A/C
Wholly Outsourced - SAQ A
SAQ C - “Standard” eCommerce Site.
SAQ D - Storing Cardholder Data.

34. Recommendations
•
•
•
•
•
•
Use shared-management types.
iFrame or Hosted Payment Pages Preferred
Use SAQ C regardless of vendor claims.
New 3.0 PCI standard coming out soon.
Consider SAQ the minimum level.
Seek help if you have any questions.

35. Recommendations
•
Download: Drupal PCI Compliance White Paper!
•
http://drupalpcicompliance.org/

36. Summarizing
•
•
•
Why
•
•
Mandatory
Financial, PR, and legal risks.
What
•
Standard that addresses security holistically.
How
•
•
•
Determine your volume + transaction type.
Complete the relevant SAQ form.
Do your due diligence!!!

37. Questions
!
!
!
!
!
•
PS. Don’t forget:
•
•
http://drupalpcicompliance.org/
Drupal.org/IRC/twitter: @rickmanelius