4 replies [Last post]
jrcallicott's picture
Offline
Joined: 03/04/2010
Juice: 11
Was this information Helpful?

I'm reading a lot of chatter but I'm really concerned that you don't see official PCI status on the homepage of the ubercart site or the ubercart project page. In this day and age it's pretty much the most important thing.

Can anyone give me an idea of where ubercart stands?

Andy's picture
Offline
Administrator
Joined: 08/07/2007
Juice: 1085
Re: What's the status of PCI compliance for Ubercart?

Ubercart is currently PCI compliant. There are additional requirements the credit card companies are trying to implement, and Ubercart will be compliant with those if and when they happen.

scanreg's picture
Offline
Joined: 10/29/2007
Juice: 18
Andy wrote: Ubercart is
Andy wrote:

Ubercart is currently PCI compliant. There are additional requirements the credit card companies are trying to implement, and Ubercart will be compliant with those if and when they happen.

How is this determined?

Is there a kind of official PCI certification that can be posted ?

BTW, does Drupal itself have to be PCI Compliant as well for a site to officially be deemed PCI Compliant ?

Thanks Smiling

pciconsultant's picture
Offline
Joined: 09/12/2010
Juice: 7
jrcallicott wrote: I'm
jrcallicott wrote:

I'm reading a lot of chatter but I'm really concerned that you don't see official PCI status on the homepage of the ubercart site or the ubercart project page. In this day and age it's pretty much the most important thing.

Can anyone give me an idea of where ubercart stands?

You have to be very careful about statements like this. Just having Ubercart itself follow PCI DSS Guidelines will NOT necessarily make your system PCI DSS compliant. For example, even if the Ubercart software is compliant itself, the moment you host your SQL server for the Credit Card information on the same system as your web server, you have just broken PCI compliance. Then it doesn't matter how compliant Ubercart is, your system components configuration still make you liable in the event of a security compromise. If you have any questions about whether or not your system and/or software is PCI DSS compliant, you should really find a PCI Compliance Consultant to speak with.

BenStallings's picture
Offline
Joined: 03/13/2008
Juice: 91
abdandoned merchant services

After considering my options long and hard, I've abandoned all merchant card processing on my Ubercart sites and gone strictly to PayPal Payments Standard. I could not comply with either the letter or the spirit of the PCI DSS... the letter said that "cardholder data" includes the billing address, and Ubercart requires us to store that. The spirit of the policy wants the server to be secure from hackers, and the fact of the matter is, on any Ubercart site that processes credit cards, a hacker is just one password away from being able to modify Ubercart's code to capture all the card data.

Now, other sites might be able to lock down their security better than I can with mine. You can restrict the IP addresses with which someone can log in with SSH, for example. But my sites are on shared hosting and I have a mobile office, so that's just not happening. So I can stop trying to comply with PCI, or I can pay for hacking insurance, or I can stop using Ubercart.

Ubercart is still by far the best shopping cart available IMHO, but I'm using PayPal only for payment processing.

Of course there's still the chance that a hacker could hack my site and change Ubercart's configuration to collect credit card data instead of sending people to PayPal, but I'm not going to help them down that road! And I'm going to try to pretend I didn't just think of that. Shit.