Do you need PCI Compliance to sell a subscription service in the cloud?
Our previous post on this topic "PCI Compliance, subscriptions and the cloud - Part 1" covered some of the debate out there as to the effect of the cloud on PCI Compliance and why we think the cloud has improved the situation for companies launching subscription services.
Unfortunately, you'll get different answers to this question depending on who you talk to. Our last post in the PCI Compliance series will tell you why.
Our answer is based on our experiences dealing with PCI Compliance as a service provider and customers that have asked us to help them with their own PCI Compliance efforts.
The short answer is that subscription services in the cloud taking credit card payments must be PCI Compliant. There are generally two ways to get compliant and it comes down to how you handle the credit card and billing information:
1. Your service or marketing site handles, stores or processes cardholder information
In this case you've made a decision to host the forms that collect the cardholder data and possibly store it within your service to send recurring transactions to a payment gateway.
You will need to implement all the physical security, network security and application security required of the standard. Depending on transaction volumes you may have to pay for yearly audit visits from the assessors.
If you are hosted with a cloud provider that can not or will not meet the requirements (which is most of them right now) then you can't become compliant.
So, yes, hosting your solution in the cloud will be a problem for PCI Compliance if you go down this path.
2. Your service uses a PCI Compliant service provider to collect, store and process all subscriber cardholder data.
In this case, your service or marketing site does not collect or process cardholder data.
While you are still required to become PCI Compliant, that effort will likely be restricted to filling out a PCI Self assessment form in which you point to your service provider as handling the cardholder data. In this case, ensure your service provider does the following:
Our previous post on this topic "PCI Compliance, subscriptions and the cloud - Part 1" covered some of the debate out there as to the effect of the cloud on PCI Compliance and why we think the cloud has improved the situation for companies launching subscription services.
Unfortunately, you'll get different answers to this question depending on who you talk to. Our last post in the PCI Compliance series will tell you why.
Our answer is based on our experiences dealing with PCI Compliance as a service provider and customers that have asked us to help them with their own PCI Compliance efforts.
The short answer is that subscription services in the cloud taking credit card payments must be PCI Compliant. There are generally two ways to get compliant and it comes down to how you handle the credit card and billing information:
1. Your service or marketing site handles, stores or processes cardholder information
In this case you've made a decision to host the forms that collect the cardholder data and possibly store it within your service to send recurring transactions to a payment gateway.
You will need to implement all the physical security, network security and application security required of the standard. Depending on transaction volumes you may have to pay for yearly audit visits from the assessors.
If you are hosted with a cloud provider that can not or will not meet the requirements (which is most of them right now) then you can't become compliant.
So, yes, hosting your solution in the cloud will be a problem for PCI Compliance if you go down this path.
2. Your service uses a PCI Compliant service provider to collect, store and process all subscriber cardholder data.
In this case, your service or marketing site does not collect or process cardholder data.
While you are still required to become PCI Compliant, that effort will likely be restricted to filling out a PCI Self assessment form in which you point to your service provider as handling the cardholder data. In this case, ensure your service provider does the following:
- They have service provider Level PCI Compliance. Ask them if they have this level of compliance.
- Your service provider's application or portal never allows anyone in your organization access to your subscriber's credit card information.
The proliferation of subscription services has really muddied the waters for online merchants. With traditional shopping carts and one-time purchases credit card information was rarely persisted.
As a result, many popular shopping cart frameworks have begun to add plugins for recurring payments but still require the merchant to collect and transmit the cardholder data for their new subscribers. This puts the responsibility on the merchant to meet the PCI Compliance standards.
Bottom line... If you are offering a subscription service, ensure you understand the effort involved to become PCI Compliant.
As a provider of subscription services, if you've had experiences with PCI Compliance, we'd love to hear about them here.
TrackBack URI for this entry
Subscribe to this comment's feed
Show/Hide comments
Show/Hide comment form