My colleague at work who looks after PCI compliance sent me this interesting info, which clarifies a lot.
• PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
• PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
• PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
• PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
As he said, and based on our average transaction of about $100, "If we get to a level one, we will have enough money to have an OC3 pipe, all the equipment we need and a full IT department!" .... :-)
Based on some other internet "research", a possible approach to deal with this scenario might be building a hybrid cloud architecture having most of the deployment in the could while having a separate secure webservices application hosted physically and securely inhouse for storing the encrypted cc records and processing the credit card transactions themselves. The remote apps would merely send a request to that internal webservices app where the request might have the CCInfo PK and an transaction amount/id for processing, the cloud app would ping cc webservices app every few seconds for transaction status and finally get the result. Such an approach would compartmentalize PCI in a manageable way it would seem. Of course credit cards would still be submitted through forms in the cloud app, but never stored there, from there it would be encryption of the cc info and transmission back to the internal webservices app for permanent storage and or requests to perform cc transactions.
Any opinions on that?
-Kieran
On Aug 22, 2010, at 5:43 PM, Simon wrote: To be compliant you would need to do your card processing elsewhere that can provide such a guarantee.
no, that's not necessarily the case. it depends on what level of pci compliance you require. checkout the official amazon response on the following thread. they confirm you can build up to level 2 compliance on amazon web services.
level 1 is the only one that can't be achieved because of the on-site visit requirement. but IIRC that's only necessary if you are processing over 6 million cards per annum.
simon
|