Level 4 PCI compliance when not storing credit card numbers
You collect credit card info and POST to authorize.net over SSL and then you're done, no cheap redirect (eg Paypal).
I am to believe even if you do the SAQ deal and quarterly scans you can't be compliant on a cloud site?
Does anybody know for sure?
16 Replies
If you handle credit card data at all, even only in transmission, you must be fully compliant with all sections of the PCI DSS. Certain provisions may not be applicable, for example if you don't store the data, the data-at-rest provisions may not apply, but you are still responsible for compliance.
You may of course pay someone else for some of the compliance work, but the responsibility of compliance cannot be absolved by outsourcing.
@jaykali:
You collect credit card info and POST to authorize.net over SSL and then you're done, no cheap redirect (eg Paypal).
You'll have to more fully define "collect". If that means that the information exists on your Linode (even if just transiting through memory for you to re-post it to the processor) then that server falls under PCI compliance. If you mean it just exists in your customer's browsers/PCs and never transits your server, then your server need not fall under the PCI compliance umbrella.
> I am to believe even if you do the SAQ deal and quarterly scans you can't be compliant on a cloud site?
My personal view is that no, no cloud server can really be PCI compliant per the current rules. At least not in isolation. Think of it this way - nothing you do individually on your VPS can stop the Linode host from having full and complete access to your filesystem, network traffic, or even memory contents. And if you've got backups enabled, what about all the servers they may reside on? So there's a security exposure you can drive a truck through and that is completely outside your control - at least in terms of satisfying PCI compliance.
Now, if your cloud provider were themselves compliant (they might become compliant as a service provider rather than merchant) I suppose maybe something could work, but for a provider to do that in a general VPS environment is hard to imagine (most PCI service providers would seriously lock down any hardware involved with the credit card processing), and even if possible I'm not certain any VPS provider would go through the headaches involved given that other companies specialize in that.
All is not lost though - some merchant processors (Braintree and I think Dow Commerce are two) have mechanisms to permit you complete control of the customer experience (UI, shopping cart, etc…) without requiring that you ever access their card information - card details are securely posted directly from your customer's browser to the processor servers where they are securely used or stored. So in that case you can avoid PCI compliance on your server, and if you're purely a web based merchant, you get to fill out the shortest and simplest SAQ form.
-- David
Consider this: one requirement is to have only "one primary function per server." Well, at what level is that distinction made? Is it the hypervisor? Is it the OS? You may get a different answer depending on the QSA you ask.
The customers we do PCI for have dedicated hardware, with different virtual hosts on the same hypervisor. We recommend not mixing PCI and non-PCI hosts on the same box.
Then there are policies you have to write, pen tests to perform, remote logging.. It's just not feasible for a small operation.
Do everything in your power not to touch credit card data. Many small merchants handle CC data thinking because they are small operations that they don't have to comply. They're mistaken. Everyone who so much as sneezes at a CC has to comply 100%, regardless of volume.
So… does anyone have any suggestions on what those of us seeking Level 4 compliance should do? A dedicated server is far too expensive for our business, and Linode is otherwise such an attractive solution…
@danep:
I would also be very interested in getting a definitive answer to this question. I contacted Linode support, and unless there was some misunderstanding, the answer seemed to be "we can't answer that- you should ask the community". In other words, they may or may not be a suitable provider, but don't want to take on the liability of calling themselves suitable to host PCI-compliant sites.
I think the closest you could come to a definitive answer would be to have a full audit and implementation through a QSA. And I'm not absolutely certain that even that is complete protection from the card companies in the event of a breach, should something turn out to be inaccurate or incorrect. PCI compliance is really a self-certification (the QSA "assesses" and recommends what needs to be done, but in the end it's you self-certifying). While there is a certification process for QSAs, they aren't all necessarily equal (at least that's my understanding).
> So… does anyone have any suggestions on what those of us seeking Level 4 compliance should do? A dedicated server is far too expensive for our business, and Linode is otherwise such an attractive solution…
For my part I'll stick with my prior suggestion. I do not believe you can handle credit cards (e.g., have access to the protected data such as the number) on your Linode and be PCI compliant. Just try to answer the SAQ in that context, knowing how a Linode operates on a common host that has full access to your data if it wanted it.
But that hardly precludes using Linode in general. Just run everything other than CC information - offload that completely to a PCI compliant processor.
You don't have to spend a ton to become compliant - just choose a separate processor so you don't have to touch or process the CC numbers. As noted in my other post, both Braintree (which is the only one I have personal experience with) and Dow Commerce have solutions that still provide you with complete control of the customer user interface, while never having to transmit or process the card data. I'm sure there may be others. And there are certainly any number that are available as long as you're willing to give up some control over the UI (e.g., use their cart or web interface).
It's especially easy if you're purely web based, since offloading the card data handling lets you can use the simplest SAQ as long as you never transmit, process or store the protected data.
You need a processor anyway to execute the transactions, so just choose one that also solves the CC transmission/storage problem.
– David
I investigated Braintree as you proposed and I'm amazed at how superior it is to the alternatives we've been looking at (i.e. Paypal), in terms of keeping customers on our site and making PCI compliance easy. However, it's a little pricey considering the types of sales we make (~$100 / month)
I'll have to decide whether the cost of either of those solutions is worth it to keep customers on our site. If you have any thoughts on the value of this (in terms of usability and building trust with customers) I'd appreciate hearing them.
Cheers
Dane
@danep:
However, it's a little pricey considering the types of sales we make (~$100 / month)
At that amount stick with paypal/moneybookers once you grow then you can add additional payment solutions.
@danep:
Thanks David. I'm beginning to realize that as a self-certification process, PCI compliance can't really be a "definitive" thing, and really it's a matter of limiting your liability (in addition to fulfilling the requirements of the merchant provider). Linode support sent me a second email with quite a long description of the security features that they implement at their data centers and on their servers that would make me feel comfortable getting PCI compliant on their servers (under SAQ C at least).
Just to check, you mean being compliant if you offload the CC processing as we're discussing right? In that case, you should actually be able to use the simplest SAQ A. Otherwise, you probably need to use SAQ D if you're holding onto card data. Oh, unless you're talking about just accepting the information and transmitting it to the processor but never storing it in which case SAQ C could apply.
It's important to realize that the underlying rules of compliance are no different in any case - it's just that under the right situation you can use a simpler form since the assumption is that some of the protection requirements don't apply (e.g,. those for stored CC information if not storing it). And I think that a shared VPS environment such as Linode is still problematic to the basic goals and requirements of compliance, at least sans Linode specifically operating a PCI compliant infrastructure and certifying as such.
In the PCI context, you (for your compliance) sort of have to treat anyone or any equipment outside your direct control - so this includes Linode staff and the host your Linode is on - as a potential adversary. Not suggesting that they'd ever be a problem, but they will have access to your guest environment in ways that you have no way of preventing/protecting. That to me makes it hard for you to certify, by yourself, that you will comply.
To be clear, I'm definitely not saying that Linode's security policies and processes aren't excellent (I don't have first hand knowledge either way), just that whether they are or aren't is not exactly relevant for the purposes of PCI compliance, unless they've specifically certified themselves as PCI compliant, which I don't think is true (nor would I really expect it to be).
To be honest, at some level part of this gets silly, and this is after all primarily self-certification, and can be analyzed to death. But the business exposure should a breach occur is real - albeit a risk/penalty analysis can also be done against that.
I think that work done to become compliant is never wasted since most of the goals (if not to my mind, sometimes the specific requirements) are valuable and just trying to meet them can tighten your security. But I also tend to feel that it's easy to work hard to be compliant and just miss some holes, whereas offloading the work to a separate organization (hopefully larger) that has spent more resource on it than you wish to, and get that benefit, is worth something, if only peace of mind.
> I investigated Braintree as you proposed and I'm amazed at how superior it is to the alternatives we've been looking at (i.e. Paypal), in terms of keeping customers on our site and making PCI compliance easy. However, it's a little pricey considering the types of sales we make (~$100 / month)
Yeah, obviously that's something specific to each case, and yes, the fixed overhead to the vault (which provides the compliant storage) is a bit more ($20 I think) each month on top of the basic account. I haven't checked their site recently, but looking at it now it looks like the $~100 includes their minimum payment level of $75, but as long as you have $40 of transaction fees (total sales of about $1000 of $30 items could do it for example) you hit that level on your own without getting hurt by the minimums.
You can offset a little of this with the saved fees in quarterly security scans that you won't need to do, but you can manage that probably for around $100/year nowadays. And those savings offset other external PCI solutions as well.
But I don't want to overly push Braintree since I don't want to imply there aren't other good solutions out there. Certainly if your estimated transaction load isn't going to hit their minimums, I'm not sure they'd be a good fit. I suspect Braintree itself uses this to avoid targeting sites below a certain level. But if nothing else, they might give you some ideas of features to be looking for in other providers.
> I'll have to decide whether the cost of either of those solutions is worth it to keep customers on our site. If you have any thoughts on the value of this (in terms of usability and building trust with customers) I'd appreciate hearing them.
My own business use for CC processing is as part of a proprietary franchise portal used by our facilities, so it was important to me to be able to maintain control of the UI, and I didn't want to be on the hook for PCI compliance for each franchisee (who get their own BT account). I don't operate an e-commerce site though I'd imagine if I did I'd also want such control, but can't say that I could put a price on it in the abstract. Certainly when we add direct customer interaction (on behalf of franchisees) I anticipate it being simple since I have the external secure storage to use without needing to do anything on my own servers.
I know as a consumer interacting with a shopping site, if I find myself off-loaded to a site like PayPal during a checkout process (not by my choice like with a "Google Checkout" button but the normal flow of the site), I can't help feeling the site is a little "lighter weight" so to speak. Sort of similar to when you hit a site and realize that it's just one of those quick 'n dirty Yahoo-based store front sites. Probably unfair, but… Then again, I can't say that it's ever stopped me from making a purchase if it was what I wanted.
Wow, this got long … well, if you're still with me, about the only final suggestion I'd make is to try your best to include all costs when doing comparisons - fixed and marginal transaction overhead. Some services that might have less fixed costs but also cost you a fraction of a percent more on the transactions, which depending on your load can add up quickly. Some might or might not be up front about costs to create a merchant account, etc…
To come round to the original topic though, I do think you should place real value on an off-loaded solution that provides PCI compliance on your behalf (this includes separately hosted carts like the basic PayPal service). It's just such a pain in the butt if you end up touching the CC information.
-- David
Cheers
I'm sure it's a horribly involved process, but this is at least an existence proof that a service like Linode could become certified. Are there any plans to do so?
@johnso87:
For what it's worth, Amazon Web Services announced today that EC2, S3, EBS, and VPC have been certified as PCI DSS v2 Level 1 service providers (
~~[http://aws.typepad.com/aws/2010/12/aws-achieves-pci-dss-20-validated-service-provider-status.html " target="_blank"> ](http://aws.typepad.com/aws/2010/12/aws- … tatus.html">http://aws.typepad.com/aws/2010/12/aws-achieves-pci-dss-20-validated-service-provider-status.html ](). I'm sure it's a horribly involved process, but this is at least an existence proof that a service like Linode could become certified. Are there any plans to do so?
I imagine this would require great demand from linode customers for linode to do it since I expect it would be an expensive and time consuming undertaking, especially since linode doesn't own it's data centres can you imagine getting the 5 data centres to be audited as well as linode's own infrastructure…
I'd love to see their SAQ answers, in terms of the various "compensating controls" they must document at various points :-)
I doubt this changes things much for smaller providers like Linode in terms of the effort versus benefits of such compliance, but perhaps over time it'll have an effect of making the process easier for VPS providers if compliance in such environments becomes a more understood element from the PCI side.
This doesn't impact the requirements on merchant compliance, and how it could require separating functions on your VPS hosts or controlling their network access within your guest environment, but it does mean you could at least become fully compliant on top of Amazon's cloud.
– David
Personally, I use Linode as the nuts-and-bolts for my projects, and if I need payment, I'll offload that to a payment processor, mostly because it's a lot easier and saves me some headaches, and secondly because from a PCI compliance perspective, it makes my life infinitely easier because as many people before have said, you can go for the simpler forms.
On the other hand, if you're processing about $100 a month, your best bet is to just stick with Paypal and Moneybookers and the like, places like Braintree (they're awesome from a developer point of view) don't really start paying off until you process about $1000 to $3000 monthly, by which time you should also have a much clearer idea of how you want to handle your payments.
Keep in mind though that picking a payment provider is akin to getting married, make sure you get to know them and do your due diligence, there's a lot of shady processors out there, and a lot of snake oil is being sold in the payment processing sector. (I'll just mention 'iBill' and see how many people now go "arrrghh").
@boxedlogs:
You also have to take in account that Amazon is the 800 pound Gorilla to Linode's much smaller fluffy animal; and as such they can afford the time and money to achieve the whole PCI compliance.
But fluffy animals can be deadly too
![](
@obs:
But fluffy animals can be deadly too
Especially bunnies!
– David