IP Applications Billing and Payments blog

Do you need PCI Compliance to sell a subscription service in the cloud?

Our previous post on this topic "PCI Compliance, subscriptions and the cloud - Part 1" covered some of the debate out there as to the effect of the cloud on PCI Compliance and why we think the cloud has improved the situation for companies launching subscription services.

Unfortunately, you'll get different answers to this question depending on who you talk to. Our last post in the PCI Compliance series will tell you why.

Our answer is based on our experiences dealing with PCI Compliance as a service provider and customers that have asked us to help them with their own PCI Compliance efforts. 

The short answer is that subscription services in the cloud taking credit card payments must be PCI Compliant. There are generally two ways to get compliant and it comes down to how you handle the credit card and billing information:

1. Your service or marketing site handles, stores or processes cardholder information

In this case you've made a decision to host the forms that collect the cardholder data and possibly store it within your service to send recurring transactions to a payment gateway.

You will need to implement all the physical security, network security and application security required of the standard. Depending on transaction volumes you may have to pay for yearly audit visits from the assessors.

If you are hosted with a cloud provider that can not or will not meet the requirements (which is most of them right now) then you can't become compliant.

So, yes, hosting your solution in the cloud will be a problem for PCI Compliance if you go down this path.

2. Your service uses a PCI Compliant service provider to collect, store and process all subscriber cardholder data.

In this case, your service or marketing site does not collect or process cardholder data.

While you are still required to become PCI Compliant, that effort will likely be restricted to filling out a PCI Self assessment form in which you point to your service provider as handling the cardholder data. In this case, ensure your service provider does the following:

• They have service provider Level PCI Compliance. Ask them if they have this level of compliance.
• Your service provider's application or portal never allows anyone in your organization access to your subscriber's credit card information.

The proliferation of subscription services has really muddied the waters for online merchants. With traditional shopping carts and one-time purchases credit card information was rarely persisted.

As a result, many popular shopping cart frameworks have begun to add plugins for recurring payments but still require the merchant to collect and transmit the cardholder data for their new subscribers. This puts the responsibility on the merchant to meet the PCI Compliance standards.

Bottom line... If you are offering a subscription service, ensure you understand the effort involved to become PCI Compliant.

 As a provider of subscription services, if you've had experiences with PCI Compliance, we'd love to hear about them here.

Comment (0) Read More...

Does the cloud help with or complicate PCI Compliance for subscription services? For a quick primer on PCI Compliance, check out our previous blog on the topic or our primer page.

Quite a few blog posts lately have been arguing that the cloud makes PCI Compliance more difficult, if not impossible. Don't look to the PCI Security Standards Organization for any answers, you won't find them. We'll tell you why later in our series on PCI compliance.

Back to the topic...

Way back in october, Chris Hoff wrote a tongue in cheek blog post on achieving PCI Compliance for a service that stores cardholder data running on Amazon's EC2 service. The Rackspace/Mosso announcement in march indicating that their Mosso service "Enables the spreadsheet store, an online merchant, to become PCI Compliant" touched off some debate on Chris Hoff's blog as well as those of other cloud security minded folks like Craig Balding and Ben Cherian.

The debate really centers around whether Rackspace/Mosso really enabled PCI Compliance. In this case,  achieving PCI Compliance should mostly be credited to the strategy of using a PCI Compliant service provider to collect, store and process all subscriber cardholder information. 

However, Rackspace/Mosso did in fact step up and work with the security scanners to ensure the storefront was scanned and secure. Amazon EC2 and most other cloud providers to date have not been willing to do this. Good on Rackspace for this, even if their marketing was aggressive here.

While I understand the argument and why folks like Chris Hoff have rightfully been raising the issue, we have a different view here at IPA as to the impact of the cloud on PCI Compliance.

We are a service provider that among other things, collects, stores and processes your subscriber cardholder data. Because we are a PCI Compliant service provider, we insulate you and your service from all the difficult, expensive requirements of PCI-DSS.

Why do we think the cloud has helped here?

We've been doing this for a long time. When we started handling all the recurring payments for ISP and Telco subscription services there were very few, if any,  on-demand services like ours. As online services, and more recently, cloud infrastructure services have proliferated, it has become  easier and certainly quicker to launch a subscription service. As a result, we've seen a whole lot of providers pop up in our space to service the cloud community.

As a result, you now have a variety of choices.  You no longer have to write the subscriber management and recurring payments capabilities yourself and go through the PCI Compliance efforts. Get them from the cloud, from service providers that are already compliant.

Comment (1) Read More...

Most of us have heard of the PCI standard. Some of us have gone through the implementation and maintenance of a PCI compliant system. If you're not familiar with the standard, and what it entails, let me shed a little light on the subject.

PCI, or rather, PCI-DSS, stands for Payment Card Industry Data Security Standard. It is a set of requirements introduced by the PCI Security Standards Council (composed of members that represent American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.) in an effort to ensure the protection of credit card data by organizations that handle the data, such as online stores and billing companies.

What kinds of things are covered by the standard? Well, as a short list: a secure network, protection (encryption) of cardholder data, maintenance of a vulnerability management program, strong access control measures and regular testing of the systems and their security. There are other great sites that provide detail on the standard. http://pcianswers.com for example has a good overview of the standard.

Clearly, the list crosses the boundaries between operations and development and requires a focused effort to achieve compliance.

So, what should you do if you want to handle credit card data? Well, if you have the operational and development skills in house and more importantly the time, compliance is achievable. Our company was fortunate to not only have a development department, but a capable operational department and control of our own datacenter. Often, software focused organizations do not have access to the operational knowledge to ensure all the security measures are in place, or to get them in place. At the very least, depending on your transaction volume, you will need to bring in a third party to actually carry out the required audits.

Be prepared for the ongoing maintenance and updates that come along with PCI compliance. In addition to the scans of the system that must be carried out on a regular basis by an external party, the standard is evolving. For example, by the end of June 08, the standard required that application level firewalls be in place in addition to the network level firewalls.

PCI is a good standard, and the maintenance of our compliance makes use of all of our available technical and procedural skill sets. For those of you just getting involved with the standard, take a close look at all that it entails, and be sure you have the skill sets available to become compliant.

Comment (1) Read More...