• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Cloud Computing and PCI Compliance
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cloud Computing and PCI Compliance

  • Subject: Re: Cloud Computing and PCI Compliance
  • From: Q <email@hidden>
  • Date: Mon, 23 Aug 2010 23:19:14 +1000

On 23/08/2010, at 10:43 PM, Kieran Kelleher wrote:

...

As he said, and based on our average transaction of about $100, "If we get to a level one, we will have enough money to have an OC3 pipe, all the equipment we need and a full IT department!" ....   :-)

That's a good problem to look forward to having :)

Based on some other internet "research", a possible approach to deal with this scenario might be building a hybrid cloud architecture having most of the deployment in the could while having a separate secure webservices application hosted physically and securely inhouse for storing the encrypted cc records and processing the credit card  transactions themselves. The remote apps would merely send a request to that internal webservices app where the request might have the CCInfo PK and an transaction amount/id for processing, the cloud app would ping cc webservices app every few seconds for transaction status and finally get the result. Such an approach would compartmentalize PCI in a manageable way it would seem. Of course credit cards would still be submitted through forms in the cloud app, but never stored there, from there it would be encryption of the cc info and transmission back to the internal webservices app for permanent storage and or requests to perform cc transactions.

To achieve what I think you are trying to do, you would need to ensure that the cloud app never has access to unencrypted card data. ie. you should collect and encrypt the card data using a form on your inhouse servers.  It's ok for the cloud app to handle the encrypted form of the data, provided it has no way of decrypting it. If the cloud app collects the card data, it doesn't matter if you store it or not, the potential risk of it being exposed by the cloud infrastructure is present.

One approach might be to collection the transaction details (amount, etc) in the cloud app, hand off the user and a token to the transaction to your inhouse app, collect the card data and process the transaction, update the transaction status, hand the user back to the cloud app.  It's a similar model to what many banks and the likes of paypal use for handling card processing, your main app never needs to know the card details, only that the payment process was successful, keep the two operations at arms length.


-- 

Seeya...Q


Quinton Dolan - email@hidden

Gold Coast, QLD, Australia (GMT+10)





 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Cloud Computing and PCI Compliance (From: Kieran Kelleher <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Simon <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Miguel Arroz <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Simon <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Q <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Simon <email@hidden>)
 >Re: Cloud Computing and PCI Compliance (From: Kieran Kelleher <email@hidden>)

  • Prev by Date: Re: Cloud Computing and PCI Compliance
  • Next by Date: Re: Consuming Remote XML
  • Previous by thread: Re: Cloud Computing and PCI Compliance
  • Next by thread: Re: Cloud Computing and PCI Compliance
  • Index(es):
    • Date
    • Thread