Comments on: How To Be PCI Compliant in the Cloud…

By: Dear Verizon Business: I Have Some Questions About Your PCI-Compliant Cloud… | Rational Survivability

Wed, 25 Aug 2010 03:31:07 +0000

[...] but the last time I saw a similar claim of a PCI compliant Cloud offering, it turned out rather anti-climatically for RackSpace/Mosso, so I just want to make sure I understand what is really being said. I may be mixing things up in [...]

Like or Dislike: 0 0

By: Calling All Private Cloud Haters: Amazon Just Peed On Your Fire Hydrant… | Rational Survivability

Wed, 26 Aug 2009 09:20:22 +0000

[...] Further, it should be noted that now that the 800lb Gorilla has staked a flag, this will bring up all sorts of additional auditing and compliance questions, as any sort of broad connectivity into and out of security zones and asset groupings always do. See the PCI debate (How to Be PCI Compliant In the Cloud) [...]

Like or Dislike: 0 0

By: PhilA

PhilA — Fri, 20 Mar 2009 08:14:09 +0000

Educate me here, how should Mosso/RackSpace word their pitch to not entice this response?

Many of the cloud providers are headed towards their marketing approach.

Like or Dislike: 0 0

By: beaker

beaker — Tue, 17 Mar 2009 13:20:56 +0000

@Philip Murphy

Phillip:

Thanks very much for the comment.

I don’t doubt the business case and support you’ve received from Mosso as certainly it reflects the value of the Cloud. What is important to us security wonks is that we make absolutely clear that when a provider suggests they “enabled” PCI compliance, that we clarify what that means.

We’re slightly allergic to that sort of language in our world: “Buy our product/service and BAM! You’re compliant.”

Mosso has every right to market as they see fit, but we’re going to call a spade a spade here.

I am thrilled that Mosso gives you excellent service and value, but some of the messaging here is suspect.

Thanks again for commenting.

/Hoff

Like or Dislike: 0 0

By: Philip Murphy

Philip Murphy — Mon, 16 Mar 2009 21:30:03 +0000

I just wanted to say that from a business perspective, Mosso’s solution is a perfect fit for us.
Truth be told, we previously used a hybrid solution like the one we are using at Mosso with a dedicated server. From our perspective, this was an expensive solution that was not scalable and required us to maintain the server ourselves, as well as pay for excess capacity.
While Mosso’s solution may not be appropriate for large enterprises, it works for us. The stumbling block we encountered with our desire to move into cloud hosting was passing the vulnerabilty scans. Mosso’s platform let us do that.
It is true that the technology is not new. I think what is new is that we asked Mosso to “fix” the vulnerabilities found in our ASV scans and they worked with us to do so. They also detailed a specific set of steps for other e-commerce merchants to follow in order to pass the scans and become compliant.
Previously, from a business perspective there was a thought that one had to use a dedicated server (even if using a hybrid solution like the one described by Mosso) in order to pass the ASV scans AND allow for some level of scalability and traffic spikes. This solution provided by Mosso let us move from a dedicated solution to a more cost-effective and scalable one.
It may not be a new technology but the ability to use some solution other than a dedicated server was new for us from a business standpoint.
Best regards,
Philip Murphy
VP Operations
The Spreadsheet Store

Like or Dislike: 0 0

By: Craig Balding

Craig Balding — Sun, 15 Mar 2009 21:36:10 +0000

@Chris – thanks for the link love and kind words – much appreciated. Let me know when your @source Boston preso/recording is available – from the feedback I’ve heard so far, it sounds really good and I’d like to ensure my readers get to see it.

Like or Dislike: 0 0

By: Bret Piatt

Bret Piatt — Sun, 15 Mar 2009 21:08:22 +0000

You can use SIM with Cloud Sites, not AIM. A good part of the reason for marketing this is to help drive awareness in the merchant community of easier ways to solve PCI so they can do what they want — sell merchandise.
Right now a large portion of the merchant community believes either (a) you use some sort of shared storefront offering like Yahoo! Stores, Volusion, Amazon, eBay, or (b) you have to go build an expensive dedicated environment that contains all of the controls for a Type 5/SAQ D environment.
We want to help educate that you can have a flexible and scalable front end web architecture and a use a payment partner for the cardholder data giving you the majority of the benefits of a dedicated Type 5 environment without much of the direct expense.
We’re going to continue adding security into the cloud as the scalability, speed, and stability allow. Without the latter 3 Ss I’m not sure if anyone cares if it has super duper security features.
Bret Piatt
Rackspace Hosting

Like or Dislike: 0 0

By: Peter Bell

Peter Bell — Sun, 15 Mar 2009 20:55:08 +0000

Just because the site isn’t *storing* cc info, doesn’t mean it is out of scope for PCI. If they store, transmit or process the cc data, surely the site is in scope? That means that if they use (say) auth.net’s simple checkout where the user enters their cc into the auth.net server, they are out of scope, but if they host a form that returns to their server and then calls auth.net using AIM, their website is IN scope.
Could you clarify whether the site you’re mentioning is using simple or advanced integraiton (do they host the cc page and transmit the cc data to auth.net)? If so, it also seems to me that the press release is saying that they helped them to pass the approved scanning process which is only one of the requirements for actually being PCI compliant if the site is in scope.
Looking forwards to learning more!

Like or Dislike: 0 0

By: beaker

beaker — Sun, 15 Mar 2009 19:38:49 +0000

Emil:
I appreciate your comments. I also appreciate the marketing efforts that went in to this announcement, but I respectfully suggest that our definitions of “transparency” given the “simplexity” of the solution presented by The Spreadsheet Store example are not congruent.
Clearly we agree about the hybrid nature of Cloud and its benefits, but we’re going to end up with Clouds on Clouds on Clouds and while you’re piece of the pie may “enable” (in your words) PCI compliance, it’s really just one move in a complex shell game of attempting to reassign/transfer risk.
This isn’t YOUR shell game, you’re just playing it, but while you provide an excellent service that I happen to like very much, what exactly have you done with Cloud Sites from a service delivery and technology perspective that someone else could not by simply redirecting the credit card in-scope data from touching their resources?
Is it really that you’re just the first to point out the obvious or can you explain more about how this is so markedly different from everyone else?
I’m NOT trying to be antagonistic, but if we’re going to discuss this, I’d like to distill it down for my readers.
/Hoff

Like or Dislike: 0 0

By: Emil Sayegh

Emil Sayegh — Sun, 15 Mar 2009 19:22:38 +0000

This was posted on another blog that raised the same issues.
“As you clearly state, we (Mosso) were very transparent in indicating what information is stored on our Cloud and what is not.
The truth is that we are the first Cloud, that we know of, that enabled its Cloud customers to gain PCI compliance using multiple technologies. The future of Cloud technologies is full of these types of hybrid solutions that combine the best of both worlds. The goal for a customer and online merchant, is to get PCI compliance, not be purist in terms of technology. On line merchants want to leverage the Cloud for scaling, and this is a good way to do it by combining both worlds.
The fact that some people knew it was possible, but not executed should not take away from the fact that Mosso was the first one to bring it to market, and execute. A lot of work had to go on from the Mosso side to enable this. There was work involved with the payment gateways to find the best solution for our customers. Also there was work involved with our system to demonstrate compliance with the merchant perimeter scans, something that no other cloud provider has done, to the best of our knowledge.
We are very pragmatic in our approach, and will use the best of both worlds (Hybrid: Cloud/Dedicated) to bring solutions to our customers that can help them, today.
I hope all this helps. Thanks again, and let us if you have further questions. My email is ghrncir@mosso.com.
Greg Hrncir (ghrncir@mosso.com)
Director of Operations
Mosso | The Rackspace Cloud”
Anyone with more questions can also feel free to reach out to me.
Emil Sayegh,
General Manager
Mosso | The Rackspace Cloud
(esayegh@mosso.com)

Like or Dislike: 0 0

By: Michael Janke

Michael Janke — Sun, 15 Mar 2009 18:20:17 +0000

“instead re-direct/use someone else’s service”
I’ve always been a strong proponent of that solution, and implemented it long before PCI existed. (a decade ago? – can’t remember)
So now lets ask a dumb question. If you are outsourcing you storefront hosting to a cloud provider, and you are using off the shelf storefront software shopping cart software, and you are outsourcing card processing to another service, why not just outsource the entire mess to Digital River or someone like that? Who the heck wants to manage a daisy chain of strung-together outsourcers?
While I’m at it, I’ll ask another dumb question. If the cloud provider can’t directly host card data because they don’t meet the compliance regime, why would I trust them to host the rest of my customers private data? Doesn’t that data also need protection roughly equivalent to card data?
I sure think it does. Identity theft is a far large problem for an individual that credit card theft, especially when you are doing dumb things like storing mothers maiden name, place of birth and other identity-theft targets.
You can’t simply revoke your identity and get a new one in the mail 3 days later.

Like or Dislike: 0 0