PCI Data Security Standards for sites with CiviContribute and CiviEvent
American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. work together on standards for online payment processing (see https://www.pcisecuritystandards.org/about/index.htm). They have upped the requirements and process for accreditation of your site as of the Spring of 2008.
Your hosting for sites that accept payments using CiviContribute and CiviEvent should comply with their standards if the plug-in you are using does not route the user to external pages for payment processing (eg PayPal Standard makes users go to PayPal pages to pay before coming back, other plug-ins like PayPal Pro, Moneris and IATS allow users to stay on your site's pages with your branding; the latter sites should comply with the PCI Data Security Standards). https://www.pcisecuritystandards.org/tech/index.htm provides more information on what you should be doing, eg ensuring that the database is served from a different server than your webserver is on, and that your web server is not also serving mail to users.
In addition to PCI Data Security Standards (PCI DSS) that require hosting infrastructure to be secure, there are PCI Payment Application Data Security Standards (PCI PA-DSS: https://www.pcisecuritystandards.org/security_standards/documents.php?association=PA-DSS). PCI PA-DSS relates to the website applications, which means CiviCRM and/or Drupal/Joomla would have to be PCI PA-DSS compliant if a site with that platform is using an above mentioned plug-in to process credit card within the site. The problem with that is that since CiviCRM, Drupal and Joomla are open source systems, theoretically each installation would have to be tested - because each installation can have different modules installed, custom code and can be configured differently. On top of that, the PCI testing has to happen every 4-12 months, depending on the number of processed transactions. Additional discussion about PCI compliance is available on the CiviCRM forum
Should I Consider Using SSL for a CiviCRM Site?
SSL covers a set of somewhat limited security issues. In fact it addresses three problems (and btw I am not a security pro- so don't take anything I'm saying for revealed truth)
SSL is typically implemented with "Server side authentication" - in other words the server has a certificate (which you can trust or not) and the client is anonymous - this essentially means that the client is safe from a bad server, but not the other way around. SSL will deal fairly effectively with "man in the middle" attacks (where someone places a device or program between sender and receiver and "sniffs" the line for communication). Two common points of vulnerability are:
Your decision to use SSL certificates with CiviCRM will rest on your payment processor mechanism, and the level of security you require for the personal information you will be managing. One type of payment processing mechanism involves collecting all transaction information, including credit card numbers, in a CiviCRM form then submitting to the payment processor. The second type of payment processing mechanism redirects to an external secure transaction site to collect credit card information. The different cases are:
How Do I Install SSL on My Site?
What Else Should I Be Thinking About?
So SSL (and other data protection measures) can help in some of these circumstances. But in my opinion this is not where you will see the most common attacks. Those will be directed at the data itself - which live on the host and client computers. These attacks require a lot less sophistication and are a lot less dangerous for the people doing the dirty work. To protect against this sort of attack you will want to consider the following -
1. Policies - Everything from who gets what kind of permissions to how you treat passwords. Password policies are critical (IMHO) - because
2. Network security -
3. System security -
If you don't believe that individual's computers can be hijacked take a look at these:
Also if you are serious about protecting a sensitive (political) clients business from cyber attack you should also consider -
So what's a reasonable solution? Get a security audit and then outsource! Very few organizations have the time or expertise to deal with these issues in a comprehensive or effective way. If you want to find out how vulnerable you are then have a pro do an audit. If you want to build a secure environment yourself - great - but you will spend lots of time and money doing so. Find a host you trust and let them do the heavy lifting for you. You will still have to implement decent organizational policies however - otherwise your security is useless.
To re-cap - is SSL the way to go? Probably - for the specific problems it fixes. The analogy is that you can place a really big lock on your door - but if the window is left open and the alarm is turned off then you shouldn't have a lot of confidence in your solution.