You just bought a beautiful new home. You spent a lot of money, so you want to get the most out of your investment by looking for opportunities to make it income-producing while residing in it. Along comes a friend with a novel idea. A local manufacturing company exceeded its monthly waste allotment and needs a new location to store its surplus HAZMAT material. This company will pay an extraordinary amount of money – $1,000 per barrel per month – to take up what would otherwise be unused space in your basement.
So... would you do it?
The potential of a massive passive income stream can be enticing. However, in this case, the risk you’d take on is enormous. What happens if the barrels are faulty – or they leak? What if they drop in transit – and crack open? What if there’s a natural disaster – a fire or a flood? How widespread might the damage be? Would you face fines for contaminating the environment? What about the resell value of the house? And if the waste leached out, how would it affect your family’s health?
The fact is that the possible damage is so severe that most cities, states, and counties forbid HAZMAT storage in residential property.
Credit Card Processing
Storing, processing, and transmitting payment card data also comes with potential risks and rewards.
On the one hand, adding an eCommerce component to a website can open up a sizable income stream, which the merchant can then use to grow the website or offset the initial build cost. However, the effects of credit card breach can be fatal to a business: customers may lose trust and take their business elsewhere; credit card companies may lose money from fraudulent charges; and the merchant may be required to pay for significant upgrades without the budget to do so – as well as face fines as high as $200 per credit card transaction affected.
Similar to managing hazardous materials, a single breach wipes out gains and even leaves the merchant stuck cleaning up the mess.
Payment Card Industry Data Security Standard (PCI-DSS)
When done correctly and securely, everyone benefits from allowing cardholders to pay for goods and services online: merchants can grow their business; credit card companies can collect their transaction fees; and customers get the convenience of paying online.
So to make life less onerous for merchants, the Payment Card Industry created a Data Security Standard (typically referred to as PCI-DSS or “PCI compliance”). The list of requirements is intended to secure payment transactions end-to-end across all systems. (For more detail, please visit PCISecurityStandards.org or drupalpcicompliance.org.)
Returning now to the HAZMAT analogy, there are certain standards that have to be met (by law) to move and/or store waste: you can only transport it with certain types of vehicles, which can only be operated by trained drivers; the place you store it must have appropriate ventilation and drainage; the containers themselves must meet a certain standard and be compatible for the type of waste being stored; and on and on.
Is Drupal Immune?
One of the benefits of open source software like Drupal is that the source code is out there for everyone to review, verify, and improve. However, this by itself doesn’t mean that Drupal is bug-free and without vulnerabilities.
That reality hit home with the disclosure of SA-CORE-2014-005, where a single line of code exposed a highly critical vulnerability.
A specifically crafted page request could provide full admin access in one page load. The implications for the Drupal eCommerce community were immense. Any site vulnerable to this attack could have had a key logger placed on a payment page.
Fortunately, despite widespread reports of Drupal sites getting hacked, we did not see a rise of reports regarding stolen credit card data. The point is that, while it’s not common to hear of Drupal eCommerce sites being breached, these attacks are possible.
Strategy for Success
Doom and gloom aside, what is a responsible Drupalista to do? Thankfully, it’s possible to significantly – if not completely – reduce your risk while still retaining the ability to accept payments online.
Let's revisit the HAZMAT analogy again. Suppose instead of storing the material in the basement, you simply used your driveway as a temporary inspection point on the way to an offsite storage facility. While a leak would still be damaging, it’s less likely to get in your home – and the total quantity that could be leaked is reduced as well.
Let’s take the analogy one step further. Suppose you discover that, for a small monthly fee, you can rent a secure facility where you can perform the inspections. You’ve significantly reduced your overall risk because the only way to expose your home is through trace amounts on your clothing brought back from the office.
And finally, to completely eliminate the risk, you could simply outsource the responsibility and collect money as an arbiter brokering the deal.
What does this have to do with eCommerce? The same levels of risk apply. If you store credit cards within the Drupal database, you take on the most risk and are subject to the largest quantity of PCI compliance security controls (384). If you only let cards pass through (the driveway example), you’ve significantly reduced the magnitude of the exposure, but there is still risk. If you start pushing the payments off-site, you’ve all but eliminated the risk except for some edge case situations. And finally, if you fully outsource your store, you eliminate all the risk – as well as a portion of your income potential, of course.
The following table summarizes this comparison as well as the associated PCI SAQ levels, number of security controls, and typical costs of compliance.
|PCI Type||Payment Gateway Type||HAZMAT Analogy||Number of Security Controls||Estimated Cost to achieve compliance|
|SAQ D||Storing Cards||Storing Waste||384||$100,000+|
|SAQ C||Merchant Managed||Driveway Inspection||139||$100,000|
|SAQ A-EP||Shared Management||Offsite Office||139||$30,000|
|SAQ A||Wholly Outsourced||Arbiter||15||$1,000|
The key take away: whenever possible, choose a payment gateway that reduces your overall exposure. You’ll still be able to run a successful eCommerce store (and receive the upside) while limiting the damage of attack (and thus minimize the downside).
A Deeper Dive
For those wanting to go further, please read the Drupal PCI Compliance White paper.