My colleague at work who looks after PCI compliance sent me this interesting
info, which clarifies a lot.
• PCI Compliance Level 1 - Merchants processing over 6 million Visa
transactions annually (all channels) or Global merchants identified as Level 1
by any Visa region
• PCI Compliance Level 2 - Merchants processing 1 million to 6 million
Visa transactions annually (all channels)
• PCI Compliance Level 3 - Merchants processing 20,000 to 1 million
Visa e-commerce transactions annually
• PCI Compliance Level 4 - Merchants processing less than 20,000 Visa
e-commerce transactions annually and all other merchants processing up to 1
million Visa transactions annually
As he said, and based on our average transaction of about $100, "If we get to a
level one, we will have enough money to have an OC3 pipe, all the equipment we
need and a full IT department!" .... :-)
Based on some other internet "research", a possible approach to deal with this
scenario might be building a hybrid cloud architecture having most of the
deployment in the could while having a separate secure webservices application
hosted physically and securely inhouse for storing the encrypted cc records and
processing the credit card transactions themselves. The remote apps would
merely send a request to that internal webservices app where the request might
have the CCInfo PK and an transaction amount/id for processing, the cloud app
would ping cc webservices app every few seconds for transaction status and
finally get the result. Such an approach would compartmentalize PCI in a
manageable way it would seem. Of course credit cards would still be submitted
through forms in the cloud app, but never stored there, from there it would be
encryption of the cc info and transmission back to the internal webservices app
for permanent storage and or requests to perform cc transactions.
Any opinions on that?
-Kieran
On Aug 22, 2010, at 5:43 PM, Simon wrote:
> To be compliant you would need to do your card processing elsewhere that can
> provide such a guarantee.
>
> no, that's not necessarily the case. it depends on what level of pci
> compliance you require. checkout the official amazon response on the
> following thread. they confirm you can build up to level 2 compliance on
> amazon web services.
>
> http://developer.amazonwebservices.com/connect/message.jspa?messageID=139547
>
> level 1 is the only one that can't be achieved because of the on-site visit
> requirement. but IIRC that's only necessary if you are processing over 6
> million cards per annum.
>
> simon
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Webobjects-dev mailing list ([email protected])
> Help/Unsubscribe/Update your Subscription:
> http://lists.apple.com/mailman/options/webobjects-dev/kieran_lists%40mac.com
>
> This email sent to [email protected]
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list ([email protected])
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com
This email sent to [email protected]
