Meeting Payment Card Industry Data Security Standards (PCI-DSS) can be a complex and costly exercise for the average ecommerce merchant. What’s challenging is that there’s no one-size-fits-all approach to achieving and maintaining PCI compliance.
There are various architectural options that can help your business achieve PCI-DSS compliance while using hybrid cloud infrastructure.
It’s important to keep in mind that PCI compliance is a dual responsibility shared by both you and your hosting provider. Hosting with PCI compliant infrastructure does not automatically make your business compliant.
The cornerstone of PCI is data protection. Your company policies and credit card transaction volume are just two of the factors that should guide your decisions on where you store this data and how you protect it. Architectural options to explore include:
1. Store credit card data at a provider offering PCI compliant infrastructure.
2. Store credit card information using a third-party payment gateway transmitting data server side using APIs. They collect the data and send it encrypted to your servers.
3. Store credit card information using a third-party payment gateway transmitting data from the client browser before reaching your server.
Compare the cost of using a third-party payment gateway with the cost of storing credit card information in your data center or a provider’s data center. You can use these calculations to guide your decision:
If you find storing data on-site is more expensive than the gateway, consider moving to a gateway. If using the payment gateway is more expensive or a third-party gateway is incompatible with other company policies, consider storing data in a PCI-compliant data center on dedicated servers.
Using APIs from client browsers will exclude your server infrastructure from the scope of PCI compliance because all sensitive data is transmitted between the user and the payment gateway.
When you choose to transmit credit card information from the server side using third-party payment gateway APIs, your server infrastructure becomes part of PCI compliance. This is because sensitive data crosses your infrastructure.
The following table outlines how to meet PCI guidelines by using various Rackspace and third-party products on dedicated infrastructure.
When you host your environment with Rackspace, you can also sign up with a separate payment processor to provide tokenization, which occurs when you replace credit card data with meaningless numbers or “tokens.” When you accept a payment, non-PCI data is routed to your Rackspace-hosted environment, while the tokenized credit card data is routed to your payment processor.
Since your customers’ credit card data is not routed to your Rackspace hosted infrastructure—only the payment processor—your Rackspace environment stays out of the scope of your PCI requirements.
Check out these Rackspace Cloud Tools partners for Rackspace-recommended payment gateway services:
A simple, developer-friendly way to accept payments online, Stripe handles custom payment forms, storing cards, subscriptions and direct payouts.
Braintree is a full-stack payments platform for mobile apps and websites. The service provides merchant accounts, payment gateway, recurring billing and credit card storage including one-touch payments to mobile SDKs and foreign currency acceptance.
With more than 123 million active accounts in 190 markets and 25 currencies around the world, PayPal enables global commerce via mobile devices and in store. Service features automatic fraud screening, Seller Protection Policy, and the BillMeLaterÒ financing option.
For more information, please download the white paper “PCI Compliance in Rackspace Hybrid Cloud” And tune in to the webinar recording PCI compliance in hybrid clouds featuring Rackspace, CloudPassage and GigaOm.