How to Utilize Cloud Sites in an E-commerce Solution
Building an e-commerce solution using Cloud Sites
Cloud Sites is designed to provide an elastic web-hosting environment. This capability can allow an e-commerce merchant to properly handle the high-volume shopping season without carrying extra infrastructure throughout the remainder of the year. Cloud Sites is not currently designed for the storage or archival of any credit card related information, all credit card information must be handled on the payment gateway.
In the Cloud Sites infrastructure you can have the entire e-commerce environment up until the point the customer provides credit card information during check out. When the shopper has a cart and clicks "purchase" utilizing the API with your payment gateway partner you'll provide a transaction ID and a dollar amount to authorize.
The customer will then connect directly to the Card Processing System on a new session and input their payment information.
After the Card Processing System validates the transaction it will return an authorized/failed message. The failure messages can contain details such as: insufficient funds, invalid card number, failed to complete transaction. The communication from the Card Processing System to the Web Front End can never contain cardholder data. Cardholder data includes: primary account number, expiration date, name as it appears on the card, CVV, CVV2, and magnetic stripe information. In other words, all credit card related information must be handled by the gateway and not handled by or stored on Cloud Sites.
The Web Application Database can store information to uniquely identify the transaction with the Payment Processing System such as: transaction ID, customer name, dollar amount of the transaction, date/time of transaction, return status of the payment request.
Below is an example proves flow that shows where the hand-off occurs between the e-commerce site and the payment gateway provider:
Cloud Sites vulnerability scan policy
Since Cloud Sites is designed to be a multi-tenant cloud hosting solution, scans for PCI compliance or vulnerability are not allowed per the Cloud Sites acceptable use policy.
© 2014 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER