-   Linux - Security (
-   -   is PCI Compliance possible in a multi-node cloud setup? (

sneakyimp 10-10-2012 01:37 PM

is PCI Compliance possible in a multi-node cloud setup?
I'm helping a client evaluate a different architecture for their site. At the moment they have a managed dedicated server hosting a site that accepts credit cards for certain transactions. I'm wondering if it's possible to store tokenized payment data in a cloud-hosted database or whether this is not PCI-compliant. Strictly speaking, no credit card data is stored in this system. However, the tokenized payment data is stored and may transit the cloud's network between nodes.

We have started to discuss the possibility of using Rackspace's cloud products to host the site. E.g.:
option 1
* application (the php website) runs on a Cloud Server. this Cloud Server terminates the SSL connection with users/customers.
* Database hosted by Cloud Database instance.
* Another Cloud Server performs image import routines with partner sites (must talk to database and deliver resized images to a content delivery network)

The problems with this option are that:
1) rackspace says that Cloud Servers are not PCI compliant, presumably because they run on shared hardware. I've been told that these cloud servers are therefore "not auditable" or something.
2) while we do not store any credit card numbers in our database, we do store tokenized references to this information. That is to say we store a customer profile id (customer id) and a customer profile payment id (customer credit card id) that correspond to data stored by our transaction gateway provider. These tokenized references are meaningless integers unless you also have the account id and api transaction key we use to interact with our transaction gateway. If you have both the api credentials (stored in a php file on our application server) and the tokenized account references, then you can actually take people's money.

Because Rackspace says the cloud servers are not PCI-compliant, this suggests we can't use option 1 because we would be using a Cloud Server to terminate our HTTPS connections and collect credit card data.

option 2
* dedicated managed server hosts application server
* database either Cloud Database service as above OR we host mysql on the dedicated server with a Cloud Server replicating the live data as a slave
* Cloud Server performs image import routines blah blah blah

In this situation, we'd still have dedicated/managed hardware aso our HTTPS endpoint and would therefore be pci-compliant in that respect, but we are still storing this tokenized customer payment data in cloud (i.e. shared-hardware) environments. Is that acceptable? Is this tokenized data considered "sensitive" ?

Any thoughts on PCI compliance are welcome. Any thoughts on the data pathways in the above architecture are also welcome.

linuxStudent11 10-11-2012 08:44 AM

I've occasionally had to worry about PCI compliance for a small business I once ran.

Off hand, I'd say "no". You probably can't even "transit" the site with CC data ... unless it is fully encrypted using their specified compliant techniques.
If you really want to do this, you'll need to request, in writing, a full audit of everything you intend to do. They get to bill you their hourly rate$ to decide if you are fully compliant. I also recommend hiring a lawyer to be on the safe side.
Bare in mind that these are bureaucrats and politicians who wrote these laws. They're really not big on creative people. :D

Another possibility: Try to find someone who is (or has) done EXACTLY the same thing. Get the audit costs from them.

But my bottom line recommendation: "Keep-It-Simple-Stupid". The PCI compliance laws were not written by rocket scientists. And they certainly knew (and still know) NOTHING about cloud computing.

Sorry I can't supply a happier response. Frankly, I hate those laws.

One more idea...
The money part of your transaction sounds pretty vanilla. So the smart thing for you is to just sign up with any of the *multitude* of CC transaction services offered. You can just get them to do the $ transaction hosting.
Then, when you got the money, just instruct your (completely separate) cloud server to download/serve/send whatever product you want. You could use any standard server to host the scripts to automate that. Thus, you pay someone else to worry about PCI compliance. You serve products. And you withdraw the money you'll get from your hosting bank.
I think this is what you really want to do. :)

sneakyimp 10-11-2012 07:39 PM

I appreciate your response, but suspect that it *must* be possible to effect PCI compliance in the cloud. I also respectfully assert that your grasp of the concepts here is somewhat imprecise. PCI Compliance guidelines are not laws, they are guidelines developed by a consortium of companies. Additionally, these recommendations don't require any external assessment unless your organization runs some minimum number of transactions. Under that threshold, you are permitted to perform a Self-Assessment using one of their questionnaires.

As for the cloud, Amazon claims its EC2 instances are PCI compliant:

PCI DSS Level 1
AWS has achieved Level 1 PCI compliance. We have been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can now run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Other enterprises can also benefit by running their applications on other PCI-compliant technology infrastructure. PCI validated services include Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC), Amazon Relational Database Service (RDS), Amazon Elastic Load Balancing (ELB), Amazon Identity and Access Management (IAM), and the underlying physical infrastructure and the AWS Management Environment.
* option 2 described in my OP above uses a dedicated managed server as the HTTPS/SSL endpoint.
* no cardholder data is stored on our system -- the user-related payment data we do store is not "cardholder data" and can only be used to extract money from our customers and deposit it in our merchant account. this data is therefore not the sensitive information described in the PCI Compliance guidelines.

What is baffling me at the moment is which questionnaire applies to my company. They are labeled A through D. I think level C or D would apply, but the rackspace customer support tech said that no we are A for this application.

All times are GMT -5. The time now is 11:32 AM.