Vote up!
Vote down!

Am I PCI Compliant?

I've recently built an e-commerce Web site using Drupal 7, the commerce module and the commerce Authorize.NET (AIM) module. This is my first such project, I learned a lot. The site is now processing credit cards. This site is simple, you pay for a training class, that's it.

Q: The question came up, "is your site PCI compliant?"

So this is where I need help. I've watched several Commerce Guys Webinars and read parts of a white paper, but I'm still not sure what to say about the Drupal Web site its self about being PCI compliant.

Can anyone tell me the answer?



Asked by: roosdesign
on December 13, 2013

1 Answer

Vote up!
Vote down!


Great question! And I feel like this is a huge unspoken FAQ that many people avoid because they fear the answer. Like many things in life, it depends.

I've been cautioned against answering your question outright. Let me first direct you to the whitepaper it appears you've already read:


And I recommend you contact Commerce Guys or Rick (the organizer of the PCI whitepaper) directly: http://rickmanelius.com/contact


PS: Below is my best attempt at an actual answer along with a lengthy disclaimer.

DISCLAIMER: Before I continue I want to reaffirm that the advice I'm giving you below is simply "best practices" and in no way represents exactly what you should do. In other words, I don't want to be held liable for any of your actions just because I'm answering a question :)

In general, the best practice with any eCommerce project is to push as much of the liability of the transaction to the payment gateway. In your case, you're using Authorize.net AIM which is not what is called a "transparent redirect" and as such would require a higher level of PCI Compliance to be considered safe.

In general, you can choose to apply for any of the PCI Compliance Levels. Of course we all want the most secure option for the least amount of money, so you are limited by whether or not you can self-certify (self-certification isn't necessarily the easiest or cheapest every time) and what level of PCI Compliance is considered "safe." That is up to you and those you have hired for the project to determine.

Josh Miller
Answer by: Josh Miller
Posted: Dec 16, 2013