Does anyone have experience with Ubercart emailing credit card details? and PCI Compliancy via encrypted email?


jlambert’s picture


I am not an expert. This is not legal advice. But maybe these thoughts will be helpful.

This is really, honestly, probably just *not* a use case you should be implementing with ubercart. PCI DSS is a changing an very difficult area to work with, and you really need an expert to make sure you stay in compliance with every system (it far exceeds "just Drupal" in terms of policy enforcement).

PCI does govern email. You don't want to be emailing information to clients, and a good rule of thumb is to never expose any part of any card outside of a properly firewalled, https environment (never in email: because just the last four digits of the card is enough for someone to verify things like bank accounts, etc, etc).

Irrespective of PCI, a good rule of thumb is that emails NEVER contain identifiable credit card information. You're just asking for trouble if you do. There are plenty of scanning services to help with this. The best way to handle your use case is to look at enforcing PCI compliance on the edge: Zeus ZXTM has an addon, Ironport is a vendor I've heard of — do your own research.

I've developed some really large-scale ecommerce platforms in my career and compliance was a major cost of the projects I worked on (1 in 10 bucks spent maybe, sometimes more). It's a big area. There are some PCI experts floating around in the Drupal community - I met one at Badcamp back in 2008, but they're hard to find, and most are not going to be putting a lot of specific information about compliance online for legal reasons.

Also, next time you post on this issue please include a lot more detail about what you're trying to do — you'll get better answers.

i-sibbot’s picture

And thank you for your response. Its highlighted a lot of information I already knew, and my question was delibrately fague because I wanted to see what a simple description of my problem would entice out of the drupal forum. I contribute a lot and rarely get any help back, so, again, thank you for your reply.

Summary: The smb wants to implement a store/cart system. We've picked Ubercart as Drupal is the cms of choice, instead of bespoke. Initially the full process from cart to ips was spec'd but now they wish to halt the flow before the transaction is sent to the gateway. Instead, wanting to manual complete the order via manual card processing and or telephone. Following there existing workflow.

Effectively doing everything upto the point of processing the cc via a payment gateway.

My issue is the storing or transmitting of cc details. Either being stored in drupal or sent to the company for manual processing via encrypted pgp email or something.

My understanding of PCI DSS compliance is that if it involves the storing of cc details you have to be quarterly scanned to uphold your compliancy. A seperqate dedicated box for both database, and web. Both firewalled and SSL for web. in a jist.

My question really is, would it be better to try to meet pci compliance which would allow drupal/ubercart to store the details of the order and allow the company to manual complete the order via a hand held terminal, then close and delete the order and the held details.

Or could you avoid pci compliance, or at least nullify your responsibilities by transmitting the detials, without storing, via encrypted email to the company for manual processing via hand held terminal?

Or is this latter option just not feasible.

We're basically trying to see if its possible to be pci dss compliant, but manually completing order. Instead of automatically via a 3rd party ips like worldpay or nochecks.

Thanks in advance for any pointers provided.

skessler’s picture

I am not sure I understand you 100% but I would say in general it is a bad idea to hold CC numbers yourself. There is a lot of legal, maybe ethical, and certainly PR risk. The CIM (line information manager) might be what you are looking for

Ubercart is compatible with this service.

Hope this helps.

Steve Kessler
Denver DataMan -