Re: Cloud Computing and PCI Compliance
Re: Cloud Computing and PCI Compliance
- Subject: Re: Cloud Computing and PCI Compliance
- From: Jon Nolan <email@hidden>
- Date: Mon, 23 Aug 2010 07:12:45 -0600
- Organization: Loch Garman
Kieran,
You can save yourself at least half the headaches by staying out of the storage business completely.
Authorize.net's CIM works very well for us. Obviously there are still PCI compliance concerns but they are drastically reduced.
http://developer.authorize.net/api/cim/
Jon
On 8/23/10 6:43 AM, Kieran Kelleher wrote:
My colleague at work who looks after PCI compliance sent me this interesting info, which clarifies a lot.
• PCI Compliance Level 1 - Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region
• PCI Compliance Level 2 - Merchants processing 1 million to 6 million Visa transactions annually (all channels)
• PCI Compliance Level 3 - Merchants processing 20,000 to 1 million Visa e-commerce transactions annually
• PCI Compliance Level 4 - Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually
As he said, and based on our average transaction of about $100, "If we get to a level one, we will have enough money to have an OC3 pipe, all the equipment we need and a full IT department!" .... :-)
Based on some other internet "research", a possible approach to deal with this scenario might be building a hybrid cloud architecture having most of the deployment in the could while having a separate secure webservices application hosted physically and securely inhouse for storing the encrypted cc records and processing the credit card transactions themselves. The remote apps would merely send a request to that internal webservices app where the request might have the CCInfo PK and an transaction amount/id for processing, the cloud app would ping cc webservices app every few seconds for transaction status and finally get the result. Such an approach would compartmentalize PCI in a manageable way it would seem. Of course credit cards would still be submitted through forms in the cloud app, but never stored there, from there it would be encryption of the cc info and transmission back to the internal webservices app for permanent storage and or requests to perform cc transactions.
Any opinions on that?
-Kieran
On Aug 22, 2010, at 5:43 PM, Simon wrote:
To be compliant you would need to do your card processing elsewhere that can provide such a guarantee.
no, that's not necessarily the case. it depends on what level of pci compliance you require. checkout the official amazon response on the following thread. they confirm you can build up to level 2 compliance on amazon web services.
http://developer.amazonwebservices.com/connect/message.jspa?messageID=139547
level 1 is the only one that can't be achieved because of the on-site visit requirement. but IIRC that's only necessary if you are processing over 6 million cards per annum.
simon
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden <mailto:email@hidden>)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden