 good afternoon everyone seems awfully quiet yeah hello I wanted to walk around anyway good afternoon hi my name is Matt I work at a company called lullabot we're doing talk here about PCI compliance and how it would apply to your Drupal sites so this is kind of really what we want right it's the end game everybody wants to be able to collect credit card data or at least collect payments on their website because hey making money is fun right e-commerce is kind of the goal here's a little bit about me I've been doing Drupal for about five years and I'm going to tell the story today a little bit about my past in doing PCI from the trenches if you will I'm a member of the Drupal security team and I'm a senior development at a company called Lullabot we've had the great opportunity to work with a lot of these cool companies but a lot of my PCI experience doesn't come from Lullabot for what it's worth but who am I not right I am not a PCI qualified security assessor I'm not a QSA just wanted to throw that out there right now I'm also not a lawyer and today I'm not going to be willing to provide references for web hosting scanning vendors consultants that kind of thing I'm not sure that that's a discussion that can lead to anything productive so we'll just avoid that kind of talk today I will tell you a little bit of a story back from my previous job I was in the nonprofit world doing web development doing Drupal development and I had a co-worker come down the hall and give me one of these looks Matt yeah you've been doing some really great Drupal work yeah I hear this makes websites easy oh yeah I suppose so Regina is in charge of the development department she's wants fundraising to happen and there are things that she wants fundraising-wise on her website and there's a way that she wants it to work Regina explained to me that you know I really need to collect credit card information and I need that information to get plugged into our database because our database does the recurring billing we have this fancy database and you know it's got all our customer records in it all we've got all their history in it and being able to plug it right in there off of our website that collects credit card data and you know maybe charge the card the first time so they're making a donation to us right away and I thought yeah why not right it's forms I know Drupal form API there are plenty of other ways to go about this in Drupal I'd love to be able to integrate this directly with our database system but you know I'm not all that familiar with that API and it's very complicated and probably doesn't want to play well with PHP anyway so I go back to my desk and I kick back a little bit start running through the Google honestly that probably is about what my desk looked like start running through Google thinking okay we're dealing with credit cards it's something that's new to me it's probably gonna be a little bit difficult and I definitely want to do it the right way right especially if I'm gonna be storing credit cards and I started scratching my head on that one a little bit it's like you know boy this is gonna be a secure data it's pretty pretty I mean there's gonna be a need for some pretty secure data store I better make sure I do that right and the server that I have running you know in the in the supply room running my other little microsites probably wouldn't be a good idea to do it there so and security and encryption trying to figure out all these things and I ran across a document that probably looked about like that and I started reading it yeah it's a tough one and I thought wow this is a very detailed there's a lot of good information here and it's probably gonna tell me the right way to do it but it's not gonna be as easy as I initially thought so I got on the phone and I called my boss I called Bob and I said Bob you know Regina came on the hall and described this great project to me and it's gonna help fundraising out a bit and it's really going to help our position you know in the in the company you know being the IT folks you're always trying to help people out because you're always telling people no and telling them you know don't break your their computer and that kind of thing and Bob I'd really like to be able to do this but I found this thing called PCI and it's probably gonna affect the way we're dealing with credit cards in the organization otherwise and you know there are probably some challenges that are gonna have to come about and about that time you know that's about what that phone call started to look like and Bob started getting upset not about what I was saying but knowing that he was probably gonna have to spend the next year or so of his life sitting in conference rooms about like this discussing it because one thing that PSI PCI isn't it's not a just a problem for the IT staff it's not just a problem for the people who are collecting credit card information it's really going to affect anyone's organization or anyone's business business-wide everyone in the organization will probably see at least some touch of PCI so PCI is the payment card industry data security standard the PCI DSS that's what we're talking about here today primarily so the payment card industry consists of the major card payment brands who came together and decided that this is going to be one standard that will rule them all it's going to be the way that it will be done properly and this is what we're going to expect of everyone because originally everybody tried to go off on their own tangent and say this is the way visa wants to do it this is the way mastercard wants to do it and they decided that getting it all together in one list of standards is probably the best way of going about it and that document is the PCI data security standard it's also important to point out that the PCI DSS is not a law it's not legislation enforced by the government anything like that it's only the credit card companies that hold these policies over us this is the probably the most important thing if you're interested in PCI if you're charging transmitting processing or storing credit card data it applies to you period but I'm not storing it you right it applies to you but I'm using SSL guess what it applies to you're going to probably have to go a little bit further into the way that you're currently doing things to make sure you're doing it along the right wrong the lines that the PCI DSS asks you to do in the end we really just want to avoid data breaches right that's a article that's probably a little difficult to read but I'm not expecting you to read it talking about the Heartland payment system it's a very famous big data breach from a few years ago tons of credit card information was stolen but they're appended but they are a payment vendor but it's something that has really affected them right dozens of lawsuits formal inquiries by federal organizations of course it affects their stock value that's a huge example and you probably don't process that many credit cards so you're thinking you know I'm just the little guy here right I am not Heartland I am not you know Walmart I am not Amazon I'm just a little guy trying to sell t-shirts on my uber cart store you have to keep in mind that most of the examples of unauthorized access to sensitive information like credit card data come from the little guys and the little guys make up most of the vendors also there are people looking for you about a third of data breaches come out of malicious attacks so it's also something that's going to be pretty expensive for you if something bad were to happen and here might be a good thing for you to see that the credit card provider can then become liable if the retailer was PCI compliant if you're doing things the right way you can rest assured that things will be out of your hands here's another major data breach that you probably all heard of within the last year or so the Sony network lost a lot of information and I'm not going to say that this I mean I'm sure this affected them financially without a doubt but I think in my opinion this probably affected them on a reputational level more than a financial level this came across my Twitter feed and if you read what my friend Sean has to say you might think he's a little bit nutty there's I access from an IP on China on my box because of the PlayStation breach now I would think that too if I didn't know that Sean was the former CTO of a publicly traded software company and definitely was the propeller head and kind of knows what he's talking about is this really true is this what happened I don't know but really it doesn't matter because in today's social world this is the kind of thing that people are going to see this is what I remember from that actual exploit so there's a financial risk that vendors have a data breach will cost you and in fees as well as perhaps fines and suits but there's that reputational risk as well and you need to make sure that you're dealing with your clients payment information personal information in the best manner possible so hopefully I've convinced you that this is actually probably a good thing right that we have these 12 requirements set forth by the PCI council that are going to outline the best ways for us to handle sensitive credit card data and information we like to call the dirty dozen anyway I'm gonna run through the 12 really quickly we won't have time to get into a lot of detail but keep in mind all of this information is out there and you can go read it for yourself I'm just gonna touch on the 12 requirements fairly quickly you'll find that a lot of them are really security best practices and it's something that you probably should be doing anyway but this is making sure that you understand that for example requirement number one you need your firewall to come to protect your card holder data right everybody should have a firewall you probably have a firewall anyway one thing that the requirement does say is that it does need to be a stateful firewall and it needs to be configured properly and you'll have to document that configuration but right who doesn't want a firewall in the first place yay a firewall that requirement number two is another one that is going to kind of sound like a no-brainer but don't use vendor supply defaults for your system passwords and security parameters this is another one of those yeah really people do that right you're you're gonna log on to your computer and you look for a Wi-Fi network and you see one called links this and you think the password is admin and there's no username I can get into this one right the same holds true to a lot of other network equipment as well you need to make sure that you're not subject to doing silly things like this requirement number three is protect card stored card holder data requirement number three has to do with a lot of the encryption that might take place behind the scenes as well as what types of data are okay to store what types of data are not okay to store it's it's a fairly interesting one to read actually requirement number three number four is encrypting the transmission a lot of times you hear people say yeah I use SSL and so I must be doing things right yeah great you're all set with requirement number four eleven to go requirement number five you need to use an update your antivirus software and programs you have to keep in mind that the PCI DSS was written for a very broad scope of possible applications right this could be a desktop application that someone from data entry is going through the mail entering credit card data submitting some kind of form that's going off to the payment gateway and perhaps logging that that tracks its transaction happened so on that Windows machine you definitely want that to happen and actually the standard says you need to have an antivirus on types of OS's that don't that you don't need to have an antivirus on types of OS's that are not subject to viruses Trojans that kind of thing and the example that it gives is a mainframe good times requirement number six develop and maintain secure systems and applications this really has to do with how you're developing your software your practices for dev staging and release code reviews really come in in requirement number six is just kind of making sure that you know and understand your code base as well as promotions to live servers that kind of thing number seven restricting card holder data by business need to know so if you don't need to know this information by golly you shouldn't have it it's another one of those best security practices right the least permissions needed to get the job done so obviously if there's a business need to know then you know if you need to know some sensitive information or have access to sensitive systems then you have to do it to do your job but that kind of thing needs to be documented we'll learn about documentation here a little bit more as far as the requirements are concerned requirement number eight is asking that we everyone who logs onto a system gets a unique ID something that's fairly important I know that I've worked on systems often that have an administrator account or people share access to servers that kind of thing everybody needs to have a unique ID because that really comes into play when you're talking about logging you need to be able to reconstruct where things happen when things happens why things happen who changed what and if someone does not have their own account it's much harder for that to be tracked requirement number nine deals with physical security you can do it all right from the ones and zeros side of things but if you leave the door unlocked or keep your server in the break room nothing is stopping someone for picking it up and walking away with it so physical security is definitely something that might need to be considered if you're in your own hosting environment which I've been before it's kind of fun requirement number 10 you need to be able to track and monitor all network resources and cardholder data this really comes into play with the logging side of things and the logging requirements that are involved and then number 11 is the testing of security systems and processes you'll need that those official testing procedures in place and documented and number 12 is all about the documentation you need information security policies there is a training requirement for your people that kind of thing you need to keep stuff on paper or at least written down here's some of my make my favorite takeaways from the standard itself my favorite one is you really shouldn't be storing cardholder data unless you absolutely need to and if you need to you're probably going to be way cooler than me and you're going to have some serious security professionals looking at your setup the requirement states that you shouldn't source certain types of data certainly the credit card number shouldn't be stored in plain text but there's also a full track data that comes on the credit card extra information that you may not know that exists as a part of your magnetic strip as well as pin numbers or that CV to CV to CVV that code on the back of your card that's information that you should never store the first six and the last four digits of the credit card number are fair game that's the maximum that should be displayed keep in mind that there's a very specific algorithm to credit card numbers and the more information people have about the numbers that exist the easier it might be to reconstruct the credit card number based on the information that you have so the less data that you have the better off you'll be this is really the big one read through requirement number 12 very carefully document everything if it's not on paper it never happened and again on paper get into writing from your vendors and service providers frequently you'll have to work with other companies be them hosting companies be them your payment processor or perhaps some other third-party vendors that you need to work with you need to understand that their compliance their non-compliance will mean your non-compliance so you need to make sure that they're doing everything properly from a compliance perspective because it means that you'll be doing everything compliant correctly from a compliance perspective this is a process that means you're never done when you're finished with compliance if you will you've you've gone through all of the proper steps and you can say yes I'm compliant keep in mind that tomorrow if somebody does something you may not can be compliant so it compliance is the idea of compliance is a snapshot in time you're always it's always in motion you need to always be assessing remediating problems that you might find and reporting and documenting that kind of information okay we got through the 12 there will be a test there will be some math but don't worry it'll be too easy that test comes in the form of the SAQ the self-assessment questionnaire there are five different ones depending on what type of business you do keeping in mind that the PCI DSS applies to the local gas station as much as it applies to Amazon.com as much as it applies to Frank's t-shirt store so here are the five and here kind of what they do but since we're all at Drupalcon I'm gonna knock a couple off the list because they don't involve e-commerce they're more manual storefront type methods perhaps even the old school knucklebuster card swipers but SAQA, SAQC and SAQD are going to be the tests that you'll take if you will to prove your compliance when you're dealing with e-commerce one of these three depending on your particular situation I'll talk about these three in a little more depth SAQE SAQA has to do with an e-commerce setup where all payment card processing is outsourced so no sensitive information ever hits your server it's the most easiest one by far there'll be about 14 questions covering two of the 12 requirements it really is going to deal with your physical security if you happen to have access to data and your information security possible policies the stuff that's on paper documenting that you're doing everything in the proper manner possible SAQA is most likely found in folks who do the whole PayPal go to the PayPal site and pay the bill and then you'll return back to your website after the bill is paid a lot of folks really try to avoid that because they feel that someone wanting to buy something from them site their site will kind of back out when they go to PayPal and you know the transaction isn't as smooth that kind of thing there are some really cool vendors out there now doing tokenization which allows the sensitive data to be offloaded from your server but allows a seamless checkout process here's a little little neck here's a little network diagram kind of showing how that might work at the bottom is the user of your website who puts in their credit card information into your form in your checkout that that form is then submitted but instead of going to your website the sensitive information is then posted directly to the payment processor who then returns a meaningless token to the user often times you'll see that that was that's a client side request it could be a server side request but that meaningless token comes back to the user and then the form is and then immediately posted to your web server with the token as well as any other information that you want to check out so your web server then says hey I have a token I also have this secret key that my administrator has set up so I'm going to give this token and the secret key over to the payment processor the payment processor is going to say hey this is that token I just gave out and here's that key for my my favorite merchant and now I get to charge this person forty dollars or whatever and then it's returned as successful or whatever back to the user. SAQC is for more of a standard e-commerce setup where you may be sending sensitive data through your server but you're not necessarily storing you're not storing your your sensitive data if you're able to fill out SAQC it is a little bit longer 85 questions it is covering about 11 of 12 of the requirements it really has to do with how well you're securing that sensitive data as and it's transfer as well as any sorts of monitoring and testing and of course the documentation and that kind of thing that comes with the other systems and because I building network diagrams and that was really a whole lot of fun it's more of a standard setup right where that sensitive data is then sent straight to your web server the web server turns around and says hey I need to make a payment here's the data to the payment processor and the payment processor says great and then success is returned throughout the chain. SAQD is really the other form anyone who may not necessarily fit any of the slots that have been outlined end up with SAQD also if you end up in the world where you're storing sensitive information you'll end up pulling out SAQD as well it can be fairly fairly upsetting because it is fairly long and you are getting a full overview of the requirements that I've outlined 12 out of 12 and it's pretty intense and really looks into how you might be doing sensitive data storage that kind of thing but SAQD is something that if you can avoid filling out SAQD it's going to save you a lot of time and possibly expense by not storing credit card information and with being required to fill out SAQD that kind of thing. So along with which SAQ you'll need to fill out it's also something to note that you'll have a merchant level as given to you by the different credit card brands. There are levels one through four and sadly even though the data security standard is one standard to rule them each of the merchants have their own slightly different version of what these levels mean to them but if you are a level to one merchant you are that same level to other merchants as long as it's the higher one so if I'm a level two for one merchant I'm also a level two for all of the other merchants as well and the levels really dictate what you'll have to do to gain compliance according to the the credit card brand. This is a screenshot taken off of the Visa website dictating those levels and what those levels mean to them. Just note that there's levels one through four and it's asking for each of those levels that they have a quarterly network scan done by an approved scanning vendor as approved by the PCI Council. It also says that you'll probably you'll have to do the annual SAQ for all of the levels. Level one are folks who do over six million transactions per card type so that means I'm doing six million and one Visa transactions or MasterCard or DiscoverCard. It will be a full overview of your security procedures and you won't be able to fill out your own you won't be able to fill out your own self-assessment questionnaire they will make a a QSA a qualified security assessor someone who's been blessed by the council that this person has been trained and they know what they're doing to you'll have to hire them and bring them in and make them a part of your process to a compliance. Also merchants who have had a previous data breach will likely get bumped up to become level one which can be a very expensive thing for a small business. Level two merchants are doing less trans yes sir question okay you'll ask later. Level two you're doing fewer transactions one thing to point out is that level two merchants have a new June 30th 2012 deadline that's being sent struck and stricken down by MasterCard saying that your SAQ will have to be done by a QSA someone who's the you know PCI professional as blessed by the council or a certified ISA an internal scanning person who has received training and they are confident that this internal person can do your QSA properly. So there's some changes coming for level two merchants. Level two merchants will also have to have their quarterly scans done as well. Levels three and four have their quarterly quarterly scans and they have to complete their self-assessment questionnaire. Level four sometimes says depending on which brand you look at which piece of MasterCard DiscoverCard are the same says that the SAQ is recommended. That said if you take American Express or JCB their levels are all slightly different and you can gain a higher level via that shared reciprocity between the brands because you take these card types something to keep in mind. This is kind of the bottom line of all of these levels and questionnaires and that kind of thing. It really is going to come down to what's your payment processor or what they call their the acquiring bank has wants you to do. They will have the final say they will say you know we want you to have the scans done we need you to fill out the SAQ that kind of thing or we need a QSA to do your SAQ. So it comes down to the payment processor in regards to which level they want you to be. My goodness I've been yammering on now for about 30 minutes at DrupalCon and we haven't heard Drupal. That's probably like the first session of the day, huh? Sorry about that but I find it necessary to get people up to speed because a lot of times there are some misconceptions in the PCI world and that was kind of necessary to see exactly what we have to do in Drupal to be PCI but you have to kind of know what PCI is going for in the first place. So how does Drupal work in this PCI world? Drupal is open source but chances are you have customized it right you have custom modules you have custom themes that kind of thing. So because those two things are true you'll end up treating it like it's 100 percent your code base. So you'll end up being very familiar with requirement number six which has to do with the development practices and that kind of thing code reviews. You're going to have to make sure that you understand your code base because you're treating this like it is your code. You'll have to have folks who can jump in and read through the the code that makes up your shopping cart. This is code from Drupal Commerce. Can you spot the vulnerability? Huh just kidding I don't know that there's one there I just I just copied and pasted something I found. You also have to keep in mind that within Drupal there are some other dragons that you may need to look for. So where might those dragons be? One thing that I like to keep in mind is that in Drupal there's this cache form right it's the form cache that comes from Drupal's form API. It's a database table that stores form data for multi-stip forms and that kind of thing sometimes validation. What that might be doing for you is sticking sensitive information in your database unencrypted without your knowing that. So you have to be aware of the workflows of the forms that are in play and making sure that it's not sticking data into your form cache. The second thing you definitely want to look for is to make sure you're not doing it wrong in the first place. I suppose the order is wrong here. This would be number one. Don't be doing it wrong in the first place. There's a fairly popular module that exists for recurring billing and it comes with several different ways that you can do recurring billing. One of those ways is their test gateway right so that you can test to see how this API works and perhaps write your own code around it based on this great example. Anyway this great example allows you to stick credit card information in your database and it will just run through the recurring billing on charge on cron when it needs to be charged. So you have a database table full of unencrypted credit card numbers. It sounds like a terrible thing and it sounds like somebody should notice that but I've heard lots of stories of people coming across that when they've been called in to work on a commerce site. Not a commerce module site but a e-commerce site within Drupal. Someone who has misconfigured and misunderstood what that module is supposed to be doing. So you need to make sure that something like that isn't happening in the first place. Another place you might look when you're looking through your code or writing code for your custom applications within Drupal is things sticking information into the session array and that's a big php super global that allows information to be shared across a user's session. Drupal sticks that information into the session's table in the database and there you can see you might be able to unknowingly put unencrypted information in your database just because you didn't understand exactly what was going on with Drupal's API or perhaps php session super global. Another Drupal security thing that you might want to keep in keep in mind when it comes to commerce is cookie session hijacking. There's a really amazing blog post that exists on the secure pages module page so Drupal.org slash project slash secure pages where you would go download the secure pages module. The secure pages module allows you to configure different sections of your site to be SSL or not be SSL given your your server is already been configured to handle SSL or not SSL. So go to that session or go to that project page there's a great blog post about session hijacking and how you can avoid that kind of thing. If you look through Drupal and start searching PCI within Drupal of course there's stuff in the forums and other you know people asking questions about PCI because there are people a lot of people wanting to ask questions about PCI it's a confusing thing. There's this PCI update module that exists I've never actually ended up using it but I know that it's there um what happens is is when you have your quarterly scans they will return things that the scanning the the scanning robot didn't like about your site. One of those things that some scanning robots don't like is that the login form of Drupal has the autocomplete turned on so your browser might be storing those passwords so the scanning bot says no that's not allowed you can't do that. In order to fix that it's a fairly straightforward hook form alter a very short module to be able to change that that is what this module is according to the project page I don't know this maintainer I'm not sure exactly what his or her plans are according to the project page as they come across other issues they will probably continue to update the module and make changes as needed. Also you need to have a basic understanding of general Drupal issues when it comes to security and code as well. Cross-site scripting where you're able to uh have untrusted users executing JavaScript on your site could be a bad thing uh obviously SQL injection where folks can do thing do nasty things to your database may expose bad may expose data to bad people as well as cross-site request forgeries these are kind of the three most common vulnerabilities found in Drupal modules being able to understand them and know them and write code so that kind of thing doesn't happen it's something that whoever is doing your code reviews needs to be familiar with I hope everyone here in the room is familiar with the Drupal security team I'll tell you a little bit about the security team it's a group of volunteers who work on Drupal websites themselves and they have security knowledge and they're able to help out the community with that knowledge the Drupal security team receives reports of vulnerabilities under of Drupal core or from contrib modules and then they deal with those reports they figure out what needs to happen they get maintainers involved to fix vulnerabilities they might jump in and do some work on a Drupal core bug that kind of thing the way the Drupal security team works is that security is handled in private until something has been fixed at which point it becomes as public as possible I hope you're all signed up to receive Drupal security updates either from the twitter feed that exists from an rss speed or from emails all of which can be found on the Drupal Drupal.org slash security to get that information great so now I've all scared the stuff out of you right we're worried about what we can be doing wrong there's a lot we need to know to be able to do it right don't be scared have a plan right hopefully I can empower you this afternoon in this last little section here's my plan this is what I'd like for you to do if you need to do something about your current status when it comes to compliance step one you need to go to PCI security standards.org that's the website of the PCI council it has the information that you need you need to download and read the standard the PCI DSS version 2 is current while you're downloading that document there are two other documents I'd like you to get navigating PCI DSS and the glossary of terms and abbreviations and acronyms because PCI QSAs like to use lots of acronyms because they're PDQ the navigating the PCI DSS document I think is very vital because as you go through and you read the standard and you later move on and read the questionnaire itself you need to determine what exactly are they trying to do here and that is what's in the navigating the PCI DSS document it really kind of tells the intentions of the council and allows you to understand what they want of you if you're confused so those three documents sit down with them together and get reading I know that's no fun reading technical documents the second thing after you have a great knowledge base on the PCI standard is go get the self-assessment questionnaire that fits for you on that website as well there will be descriptions about each of the questionnaires and you need to determine which one is going to probably fit you based on the type of business you do do you have credit card information that's crossing your server it's encrypted when it gets there but you know that sensitive data is there you'll likely end up filling out SAQC if you don't if you use one of these cool new hot tokenization things and that sensitive data never hits your server SAQA is probably something that's going to be more likely suited to you but you need to be able to sit down read through the questions and see exactly what they say needs to be done and you need to determine what you don't have done yet because the next step is to go get another document yet another document from that website which is the prioritized approach to pursuing compliance they understand that you're not always going to be perfect and that there will probably be problems with your current setups you need to understand that they also want you to be improving your current setup in order to achieve compliance you need to find the order of operations in how you should be improving things so what is more of a problem than something else if you're deficient in 10 areas this document will help you rank those 10 areas and make sure that you hit the vital ones first and maybe hit the ones that aren't necessarily as important towards the end I'm expecting a bunch of questions so now would be that time and I've been told that there is a microphone in the center and the folks doing the recording would prefer you use that hi uh thank you you bet um my question has to do with uh the uh I guess the section a piece I combined sqa a um and uh what I'm wondering is if you use one of these uh forms that doesn't uh go directly to your site but goes to some some other site um don't you still have I mean if somebody has a javascript or something on the on the client side something could still go wrong so I'm not quite sure why um it's less relaxed I guess that's the great question um yeah it is a lot less relaxed if you're using one of these third party things the what it comes down to is you can't be responsible for what's happening on the client side your application is designed to act in a certain way so you need to make sure that it can it can act in that certain way um people may put themselves at risk if their own computers have issues sadly the standard can't reach out and touch everyone's browser and make them upgrade that kind of thing or ensure that they have virus scans running on their local machines as well does that kind of make sense just uh I'm just wondering about like um the issues having to do with let's say if you have a developer adding something to the page not necessarily something that the user because it's a problem of the client but it's it's coming from your server yet you know what I mean it's like so all of these um quality controls and checking the your you still have I mean this one still have to do that that's what I'm wondering about yeah uh so what you're saying is is that you're developing it or you're using a certain type of application that doesn't necessarily need the higher level uh but it's still a custom rolled application and there's a lot that could go wrong right you're right and in my opinion I'd like to see more of a requirement six for bespoke applications um required yeah it's something that you definitely need to make sure that you're doing right in house um you'll find that being compliant doesn't necessarily mean you have good security or good practices it means you're filling out the square right you're checking the box things are okay um you need to make sure you're doing it well beyond compliance in cases like that sir hi um I wandered into the long into the wrong presentation and you just scared the hell out of me um we're just getting into this our boss said oh we're gonna start selling education courses and continuing education credits on the on the web um I think we did it all wrong um we're small we we were saving credit card numbers and we think that's a bad idea so we're gonna stop doing that we're using a payment gateway but we don't have the band power to figure this out where do we go how what are we going to do next the problem is is that it's a hard problem to have and there aren't a whole lot of easy solutions within Drupal there are some great commerce packages that allow you to do a lot but I've never had a commerce install where you haven't had to write your own code at some point it's something that's going to take manpower is what you're doing requiring recurring billing no no well we could recurring billing but we think for simplicity's sake we just ask the client to re-enter his credit card and tell them we're doing it for security reasons and hopefully give them a warm fuzzy at the same time yeah for sure um once again I can't stress enough if you can avoid storing credit card data yeah we're not gonna we're not gonna do that at all but there's still going to be entering data through a web form and we're then sending that sending that to a payment gateway so I guess we want to put in one of these tokenization solutions right but we still probably wouldn't pass an audit it depends an audit and a scan are different things the lower level vendors will be required to do exactly what their payment gateways ask them to do well we are low we are low level so that's we're doing very few transactions maybe a couple hundred a month so you'll have to get in touch with your payment gateway and see what they want of you likely they'll want you to fill out an essay queue okay and they'll require the outside network scans okay okay remember that if you're doing something like web form and and charging a credit card and going through the gateway you're responsible for that code so you need to understand what's going on within the web form module you need to understand what's going on with your custom code or or you know if you're using a payment module that kind of thing you need to understand what's happening there and be responsible for that and I think it's a good idea too bad news is we outsourced that yeah for sure okay thanks my question is about pa dss which you obviously clearly made a note to make that just connected from this because I feel like some of the questions that they're asking are more pa dss focused so my question is going through this process are they also auditing on pa dss and looking at the solutions for the payment enrollment sure do you understand what I'm asking are they nested together so if I go for PCI compliancy does it depend on license does it depend on the level of what I have to worry about in pa dss sure the question is all about the pa dss which is the payment application data security standard adjust as long and just as complicated document as compared to the PCI dss the payment application data security standard as I understand it and as I've dealt with in the past doesn't apply to the sites that I've worked with and here's why the payment application data security standard applies to software that's been licensed to third parties and commercial software that kind of thing I'm sure there's a better description on the website outlining what types of software apply to the pa dss doesn't drupal fall in that though because that's a very gray great catch yeah doesn't drupal fall in that it's very great yes it is a third-party license by the gpl that said the pa dss does not apply to custom applications you are making customizations to this application that are one off or perhaps they're bespoke you know custom it's a it becomes a bespoke application and you're responsible for the code base thanks my question is regarding the responsibility and where that lies whether it be the web designer developer compared to the store owner like who should be in charge of making sure the site is PCI compliant who should be paying for the scans and filling out the questionnaires sure great question I take it are you a smaller shop kind of thing and you're working with folks building e-commerce or yeah we we're a company building websites for small customers yeah so great there's a number of stores that we build anyway yes the it is it is kind of a problem space and you as someone who's building this website for this vendor need to understand that you need to keep it not your issue you're the one who doesn't end up signing the bottom line as the vendor on the saq in the end they need to be responsible and understand that they're the ones who are end up you know dealing with this information because they're the ones who have this website they need to end up owning it okay so so if vulnerability was broken through and information got let out they would go to the store owner for that correct in most cases and now i'm not going to say that they're not going to come to you right at least the store owner isn't right but okay thank you well that's the 21st century right so we're in the process of moving our credit card data to a third party and my question is a couple different pieces regarding to hosting the form for the credit card entry from the third party of the different levels between doing it from a page that we host in an iframe versus having them host the form and masking the url to show our domain versus the final one of having them host the form and showing their domain for example like you flip over to pay power then before you coming back to us of i obviously i know each in that order they're better but to stay pc i compliant and keep the keep everyone happy how far down can i go on that list away from the trickery with iframes for sure stay away from the stay away from the trickery and do i have to show can i mask the url to be our domain or should i show the third party it's a great question i would prefer showing the third party just trying to get another opinion sure thinking of your first slide and you said you're not a lawyer so maybe this isn't fair to ask but i'm glad i put that there exactly we have um it happens pretty rare i mean once in a blue moon but every once while we may have someone who will contact us through our website and just bypass the store all together and may send us an email talking about this about and at the end say hey can you sign me up for your publication here's my credit card information short of deleting that and maybe anything on the servers is there anything else we should be doing to protect ourselves are we responsible for anything malicious may happen or or how would you handle that yeah um great question so you're saying uh some client said here's my credit card number and they sent it to you you know yeah or something yes boy don't ever send credit card information in emails remember that email is like a postcard right great question there's also another question about faxing that could be the same thing sure and PCI will apply to think you know credit cards coming in in the mail or faxes or that kind of thing for sure you know people can mail off a credit card i'm paying my bill it just needs to be handled properly and you know you'll have to jump in and read the standard and figure out that kind of thing but to answer your question um about email you know hey i really like what you're doing and sign me up here's my information um when i was working in a non-profit organization one thing that our data folks who sent emails and had the touch points with our constituents regularly they made sure in their email signature to say please don't send us credit card information or a credit card or other sensitive information in emails just as kind of that reminder another thing that we did as a good policy is we made sure that that email was you know deleted from everywhere we could find it before it got on backups because you end up storing you know information on backups and and you know you need to do what you can to get rid of it at that point for sure i understand like you said at the beginning that this isn't like um you know law these uh compliances but um are they covered in like the contracts or agreements that you have with your your uh merchant account and so forth great question yes absolutely it's it's all a part of your contract that says yes i'm agreeing that this is the way it's going to be and they're expecting you to a read that and understand what it means hi so i'm working a non-profit as well and um we're in the process of switching over a system we'll be processing donations on our website i'm sorry can you speak up a bit yeah um i'm we're in the process of switching i'm short i didn't stand on my tiptoes um we're in the process of beginning to process donations in our website in the next probably month or so um so we're looking at all the pc i complications and one of the things you said that which unnerved me was we need to own drupal 100 percent we obviously haven't made customizations to all of drupal and for the areas where we are our vendors and have made customizations we have most of that documented and pretty well understood but certainly we don't know the entire drupal stack and every piece of it and it seems like a really high bar in general do you have any like guidance on where that line really is and how much we need to be able to 100 be able to account for you need to own your software that said you need to be darn sure wherever the credit card is traveling in your software has been done right it can be depending on your particular implementation or so there's a little bit of a flame war going on on drupal.org right now about pa dss and i don't think we need to engage in it here um but it's around whether or not uberkart needs to meet pa dss as a standard and the comment you made about well if it's if it if you've modified it then it's custom code as far as i understand if it's custom code then you need to pay for a third party code audit to ensure that that that meets sort of whatever compliance is necessary and you know we're looking at e-commerce options and there's no way we we're a small non-profit no way we could afford for a third party code audit of all of drupal and all of uberkart and and and if you don't end up modifying uberkart code at all then it it seems really clear in my mind that it is does have to meet the pa dss requirement which requires you know coding practices that will never happen in the open source community and actually there's a blog post by one of the people who's on the pc i council talking about open source software and he makes it really payment guru yeah payment guru yeah pc i guru i'm in that comment thread so he you know he makes makes the argument that all open source systems need to meet pa dss standards as well i don't know if you have any comments later in a comment he said unless they're customized yes that's true and and then it's going to be a part of your other your pc i audit yes and it's going to be more expensive than you would like it to be you have to pay for the code audit yeah in question in in times of questions like this i will refer to you to a pc i professional there is a company here today who is on the list of approved vendors and they also do drupal which one there's a company here today who's on the list of vendors and they also do drupal i have a follow-up to the emailing of credit card information which obviously in plain text is a no no but i mean per the pc i standard as long as the data is encrypted across the entire path of the message it should be acceptable should be um and what our client we have a recent drupal seven build and the client required that the credit card information be sent via strong encryption um to their their email system and they were very pc i aware um almost to a to a fault there is no fault but you know to to an extreme um so not being encryption experts ourselves we looked for modules thinking that this was a common issue we looked for modules out there that could perform strong email encryption whether it be xmime or pgp or gpg something like that and to our surprise there were none at least that we could find i think there was a drupal six project that was not well supported so we had to go in and build our own i guess my question is did we miss something i mean this seems like a fairly common you know email encryption seems a pretty basic thing and it wasn't too tough to build our own but obviously ours is not robust it's not community supported um so i guess my question is is there a better method that you can think of that would be you know pc i compliant did we miss something um just looking for you know another perspective i'm i'm not sure about your use case about sending it over the email what why is it happening in the first place why did they require an email um actually to avoid some of the pc i compliance issues you said they don't want it stored on the server they want it or on the uh web server which they consider to be relatively insecure they consider their email server secure they also considered that the email would remain encrypted because the entire body is encrypted and it would remain encrypted until the client you know on the on the pc itself had their key and typed in their password so they from their perspective it actually was more secure to be encrypted right off the bat and be encrypted you know forever and never be unencrypted it's a tough problem and i'm unfamiliar with drupal and secure encryption modules okay so sorry i thought i'd ask thank you it's going to increase the height because everyone's so tall here they're all bending down okay so my apologies i don't know too much about this stuff and that's why i was really interested in what you're talking about now so i know there's a whole session after this on recurring billing but one of the slides that did confuse me a little was i don't know at what stage it was in which you said you can store the credit card numbers but you can't store the pin i don't know what what implications are then in respect to recurring billing but what's the point of storing the credit card number without storing the pin if you if you can't do the if you can't do anything with it the pin is designed to be kept separate so storing the two together is is kind of outside of the way that they want credit card data to be stored so that's just the way that the the council is decided that this is how you need to be handling credit card data so no sure but what's the point of the credit card data without the pin if we're talking about recurring billing it depends on the payment gateway and their needs as far as what they need to make a charge and yes wonderful session coming up next my colleague Joe will be speaking about recurring billing and it will be absolutely great i just wanted to expand a little bit on what you're talking about when the lady from the nonprofit asked you about owning your site and how the credit card it is a difficult i guess process but generally what you're looking for is to make sure that your site is not permanently exploitable so that somebody can take your site and create new forms and then therefore control the user interface on your site and so you can you can find out what most of the problems with your site are just through security scans and things of that nature and again like you said to pretty much own your site but you don't have to own Drupal collectively and i think that to me was coming across as as invoking some fear in some folks here point taken am i opinion is a scary thing so i was thinking during the presentation that uh kind of worrying actually because we've done work on Drupal commerce sites uh from a contract perspective and uh i'm assuming if they ever got pulled into court we would get pulled along with them because there's a documentation process that i'm assuming spreads to every developer that touches the code um and uh on that note is there something that you have seen or noticed in the forums i'm sort of new Drupal um is there a certain area where people routinely make mistakes that cause security compromises i mean i'm sure it sounds like forms api might be an area where people go wild and start making uh security compromises unknowingly but is there something that we should look for especially if it's not a site that we've built a few things that i've mentioned if you have a credit card that's being taken in a multi-step form um that credit card information is probably being stored someplace yeah while that request is happening and may hang around in your form cache things you need to keep in mind so the the things that i've mentioned but generally good Drupal security practices as well ensuring that any sort of user generated text is filtered properly um that kind of thing gotcha cool thanks um having done a little bit of searching on this before i've found different answers but when in there your take on it there there's a question on one of the forums that makes it seem that you cannot be PCI compliant on a manage or not on a management on a shared hosting environment is that your take it's a great question um the latest round of standards has uh ways that you can become compliant in virtual environments um it's going to be it's going to come down to how the hosting provider is doing it um so yes there is a recommendation for virtualization and if they're doing it right then yes um there are unmanaged VPS type places that do say that their infrastructure has been blessed thanks our time's up have a great day