eCommerce in 2015: Architecting for PCI v3 with Drupal

David Strauss

Until the end of last year, accepting online card payments without also lots of PCI compliance work was mostly about not directly handling or storing card numbers.

On New Year's Day 2015, PCI DSS 3.0 took effect, changing the standard in two major ways:

  • The popular "display a form and submit the information to a third-party gateway" approach that used to qualify for the lightest PCI requirements (SAQ A) now requires the much larger SAQ A-EP. 
  • Many individual security requirements are stronger, particularly for authentication.

In this talk, we'll discuss:

  • Ways to divide responsibilities between agencies, merchants (the site owners), and hosts/platforms.
  • How to continue to use the lightweight SAQ A by using "hosted payment pages" in ways acceptable to PCI.
  • If your user experience requires SAQ A-EP or more, how to meet that new standard.
  • The best tools to meet security requirements without building all complexity into every site's codebase.

Session Track

Coding and Development

Experience Level


Drupal Version