PCI Compliance, subscriptions and the cloud - Part 1
Posted by: Scott Waldrum in SaaS, PCI, Billing on Apr 20, 2009
Does the cloud help with or complicate PCI Compliance for subscription services? For a quick primer on PCI Compliance, check out our previous blog on the topic or our primer page.
Quite a few blog posts lately have been arguing that the cloud makes PCI Compliance more difficult, if not impossible. Don't look to the PCI Security Standards Organization for any answers, you won't find them. We'll tell you why later in our series on PCI compliance.
Back to the topic...
Way back in october, Chris Hoff wrote a tongue in cheek blog post on achieving PCI Compliance for a service that stores cardholder data running on Amazon's EC2 service. The Rackspace/Mosso announcement in march indicating that their Mosso service "Enables the spreadsheet store, an online merchant, to become PCI Compliant" touched off some debate on Chris Hoff's blog as well as those of other cloud security minded folks like Craig Balding and Ben Cherian.
The debate really centers around whether Rackspace/Mosso really enabled PCI Compliance. In this case, achieving PCI Compliance should mostly be credited to the strategy of using a PCI Compliant service provider to collect, store and process all subscriber cardholder information.
However, Rackspace/Mosso did in fact step up and work with the security scanners to ensure the storefront was scanned and secure. Amazon EC2 and most other cloud providers to date have not been willing to do this. Good on Rackspace for this, even if their marketing was aggressive here.
While I understand the argument and why folks like Chris Hoff have rightfully been raising the issue, we have a different view here at IPA as to the impact of the cloud on PCI Compliance.
We are a service provider that among other things, collects, stores and processes your subscriber cardholder data. Because we are a PCI Compliant service provider, we insulate you and your service from all the difficult, expensive requirements of PCI-DSS.
Why do we think the cloud has helped here?
We've been doing this for a long time. When we started handling all the recurring payments for ISP and Telco subscription services there were very few, if any, on-demand services like ours. As online services, and more recently, cloud infrastructure services have proliferated, it has become easier and certainly quicker to launch a subscription service. As a result, we've seen a whole lot of providers pop up in our space to service the cloud community.
As a result, you now have a variety of choices. You no longer have to write the subscriber management and recurring payments capabilities yourself and go through the PCI Compliance efforts. Get them from the cloud, from service providers that are already compliant.
Quite a few blog posts lately have been arguing that the cloud makes PCI Compliance more difficult, if not impossible. Don't look to the PCI Security Standards Organization for any answers, you won't find them. We'll tell you why later in our series on PCI compliance.
Back to the topic...
Way back in october, Chris Hoff wrote a tongue in cheek blog post on achieving PCI Compliance for a service that stores cardholder data running on Amazon's EC2 service. The Rackspace/Mosso announcement in march indicating that their Mosso service "Enables the spreadsheet store, an online merchant, to become PCI Compliant" touched off some debate on Chris Hoff's blog as well as those of other cloud security minded folks like Craig Balding and Ben Cherian.
The debate really centers around whether Rackspace/Mosso really enabled PCI Compliance. In this case, achieving PCI Compliance should mostly be credited to the strategy of using a PCI Compliant service provider to collect, store and process all subscriber cardholder information.
However, Rackspace/Mosso did in fact step up and work with the security scanners to ensure the storefront was scanned and secure. Amazon EC2 and most other cloud providers to date have not been willing to do this. Good on Rackspace for this, even if their marketing was aggressive here.
While I understand the argument and why folks like Chris Hoff have rightfully been raising the issue, we have a different view here at IPA as to the impact of the cloud on PCI Compliance.
We are a service provider that among other things, collects, stores and processes your subscriber cardholder data. Because we are a PCI Compliant service provider, we insulate you and your service from all the difficult, expensive requirements of PCI-DSS.
Why do we think the cloud has helped here?
We've been doing this for a long time. When we started handling all the recurring payments for ISP and Telco subscription services there were very few, if any, on-demand services like ours. As online services, and more recently, cloud infrastructure services have proliferated, it has become easier and certainly quicker to launch a subscription service. As a result, we've seen a whole lot of providers pop up in our space to service the cloud community.
As a result, you now have a variety of choices. You no longer have to write the subscriber management and recurring payments capabilities yourself and go through the PCI Compliance efforts. Get them from the cloud, from service providers that are already compliant.
TrackBack URI for this entry
Subscribe to this comment's feed
Show/Hide comments
Show/Hide comment form
Helpful blog!
Cheers..:-)