View on GitHub

Drupal PCI Compliance White Paper

Download this project as a .zip file Download this project as a tar.gz file

Obtaining the Report

Download the Report

Alternatively, you can download, clone, or fork this project’s github respository to get access to the markdown and HTML versions of this report.

Stay Up to Date

For those wanting to be notified when new version of the report come out, please sign up for our mailing list. We will not use your email for any other purpose but to send out highly relevant Drupal PCI compliance related updates (at most once a month).


This was part of the original proposal for this paper. It has been slightly modified to correct for things like tense, updated statistics, etc. reports over 73,000+ active Ubercart and Drupal Commerce installations. With such a large and active portion of our community involved in eCommerce, one would expect an equal amount of effort and resources being applied towards helping these websites achieve the mandatory security standards set forth by the Payment Card Industry (PCI).

Unfortunately, a definitive guide or comprehensive resources simply didn’t exist. Instead, there were just a handful of articles, forum threads, and videos; most of these resources are fragmented, outdated, and riddled with inaccurate information. Worse yet, Google’s keyword analzyer tool reported that there were only 100-200 keyword searches a month for “Drupal PCI compliance” and other variations. This is extremely low considering that PCI compliance typically takes months of time and resources to research and implement.

Failing to become PCI compliant exposes businesses to legal and financial liabilities. It can also exposes Drupal to PR issues, where a breach in security can easily lead to “Drupal is insecure” thinking. This should be a huge concern for the Drupal community as a whole, which prides itself in having a strong focus on security as well as one of the world’s most secure open source CMSs.

This report was created as a means to help drupal shops, developers, and customers understand their PCI compliance responsibilities. If you have any suggestions on how to improve upon the report, please send feedback to

Finally, we would like to thank our sponsors for dedicating resources and expertise to make this project a reality.


If you have discovered an error, have a suggestion, and/or want to provide constructive feedback on how to make this document better, please file an issue on the github project page.