Meeting Payment Card Industry Data Security Standards (PCI-DSS) can be a complex and costly exercise for the average ecommerce merchant. What's challenging is that there's no one-size-fits-all approach to achieving and maintaining PCI compliance.
There are various architectural options that can help your business achieve PCI-DSS compliance while using hybrid cloud infrastructure.
It’s important to keep in mind that PCI compliance is a dual responsibility shared by both you and your hosting provider. Hosting with PCI compliant infrastructure does not automatically make your business compliant.
The cornerstone of PCI is data protection. Your company policies and credit card transaction volume are just two of the factors that should guide your decisions on where you store this data and how you protect it. Architectural options to explore include:
1. Store credit card data at a provider offering PCI compliant infrastructure.
2. Store credit card information using a third-party payment gateway transmitting data server side using APIs. They collect the data and send it encrypted to your servers.
3. Store credit card information using a third-party payment gateway transmitting data from the client browser before reaching your server.
Deciding Between Storing Data In-House or Using Payment Gateway
Compare the cost of using a third-party payment gateway with the cost of storing credit card information in your data center or a provider's data center. You can use these calculations to guide your decision:
- Calculate the cost of additional products or services required to store credit card data in-house per month. Rackspace sales can help you create configuration and provide estimate about cost.
- Calculate the cost of using a third-party payment gateway per month. That cost equals the number of transactions times the cost of transaction charged by payment gateway plus online revenue times the percentage of revenue to be paid to payment gateway vendor.
If you find storing data on-site is more expensive than the gateway, consider moving to a gateway. If using the payment gateway is more expensive or a third-party gateway is incompatible with other company policies, consider storing data in a PCI-compliant data center on dedicated servers.
Deciding Between Transmitting Data from the Server or Browser
Using APIs from client browsers will exclude your server infrastructure from the scope of PCI compliance because all sensitive data is transmitted between the user and the payment gateway.
When you choose to transmit credit card information from the server side using third-party payment gateway APIs, your server infrastructure becomes part of PCI compliance. This is because sensitive data crosses your infrastructure.
PCI Compliance on Rackspace Dedicated Hosting
The following table outlines how to meet PCI guidelines by using various Rackspace and third-party products on dedicated infrastructure.
PCI Compliance on Rackspace Public Cloud
When you host your environment with Rackspace, you can also sign up with a separate payment processor to provide tokenization, which occurs when you replace credit card data with meaningless numbers or "tokens." When you accept a payment, non-PCI data is routed to your Rackspace-hosted environment, while the tokenized credit card data is routed to your payment processor.
Since your customers’ credit card data is not routed to your Rackspace hosted infrastructure—only the payment processor—your Rackspace environment stays out of the scope of your PCI requirements.
Check out these Rackspace Cloud Tools partners for Rackspace-recommended payment gateway services:
A simple, developer-friendly way to accept payments online, Stripe handles custom payment forms, storing cards, subscriptions and direct payouts.
- Best fit: Developers building payment applications using APIs
- Pricing: 2.9 percent plus $0.30 per successful charge (price at the time of publication)
- Learn More
Braintree is a full-stack payments platform for mobile apps and websites. The service provides merchant accounts, payment gateway, recurring billing and credit card storage including one-touch payments to mobile SDKs and foreign currency acceptance.
- Best fit for: Developers building payment applications using APIs
- Pricing: 2.9 percent plus $0.30 per successful charge (price at time of publication)
- Learn more
With more than 123 million active accounts in 190 markets and 25 currencies around the world, PayPal enables global commerce via mobile devices and in store. Service features automatic fraud screening, Seller Protection Policy, and the BillMeLaterÒ financing option.
- Best fit for: Handling international currencies
- Pricing: 2.9 percent plus $0.30 per successful charge (price at time of publication
- Learn more
For more information, please download the white paper “PCI Compliance in Rackspace Hybrid Cloud” And tune in to the webinar recording PCI compliance in hybrid clouds featuring Rackspace, CloudPassage and GigaOm.