15 comments

[ 0.14 ms ] story [ 53.4 ms ] thread
It's clearly specified in the requirements that you need a dedicated host, and if you want to do Sarbanes Oxley or HIPAA compliance you will need your server to be in a certified data center.

No VPS account can every qualify, and that's the reason why we're on a $500+ standalone host at some fed-approved data center instead of getting the bigggest bang for our buck and getting a slice or a linode account.

Wouldn't it be pretty simple to provide this as a service? Even if you want amazon-like "we stored your creditcard data" service, just have a third party store them, and give you a handle for each card, that can only be used with a specific merchant ID. That handle is worthless in the hands of a hacker.

If this doesn't exist, I smell an opportunity.

If this doesn't exist, I smell an opportunity.

You smell right.

http://news.ycombinator.com/item?id=767509 http://news.ycombinator.com/item?id=765950

Hello mseebach and welcome to the club, I am one of your would-be competition ;-)

I do it for healthcare records, credit card records will require a change in our press releases ;-)

Sounds interesting.. I don't understand, however, how would your health record services compete with a credit card processing service? Short of something costing an arm and a leg? :)

But to recap the idea -- people become PCI certified because they need to store a creditcard number for recurring charges. There are service for subscription type recurring charges, eg. same amount every X period, but no service where a credit card number can be stored and then charged an arbitrary amount non-periodically? E.g. toll-roads with an RFID in the car, AWS usage-dependant charges or Amazon-like "store-your-creditcard" webshops ..

Are there any other reasons to become PCI certified, short of actually being in the CC business? I guess people are comfortable enough being redirected to a payment window on a third party website, so transmitting is not an issue.

If you have a "continuous authority" facility enabled on your merchant account you can make arbitrary charges on card numbers authorised and stored by your payment processor. CA doesn't seem too hard to acquire, at least here in the UK it was easier than we expected at worldonahanger.com. The downside with this approach is that in the event that you want to switch payment processors, you have to ask your customers to resubmit their card details for reauthorisation (as far as I can tell).
Hopefully this will discourage people from storing credit card data. I would much rather buy something from you via Paypal, Google, or Amazon than give you my information directly. It is easier for me, and safer for you.
I was about to point out what other people have too, why would you store CC data? and if you did, you wouldn't even consider storing it in the cloud anyway.
One reason why a company would want to store credit card data is to make it easier for returning customers to purchase things. Besides the fact that I am paranoid, the reason why I don't keep my cc data with amazon is that I know that if I log into my amazon account and all it takes is 1 click for me to buy something I will be even poorer than I already am in no time.

People buy more stuff when you reduce the barriers of entry on a purchase.

Why you would store CC data in the cloud, that I don't know, but I guess if it was a secure and reliable service,why not?

If you want to do recurring payments, gateways will give you a transaction ID you can store instead of the CC number. Then, when you want the next payment, you give them the ID and ask for more money.

You don't have to store the details at all, but you can do everything through your site without handing the user off to a third party.

Anybody have a good link about what PCI compliance is, why I need it and how I get it?
PCI is, just like most other certifications, like a pyramid scheme. Except you don't get a piece of the pie :-)
Braintree (a payment processor I use and highly recommend) has a number of resources (videos, articles, etc.) at their blog (http://www.braintreepaymentsolutions.com/blog). Look on the left-hand side for the PCI-specific resources, or use the search bar on the right for their blog archives.
Ha! Goes to show that regulations don't mean much. I'm sure millions of credit cards are stored in ec2.