

Vaulting Credit Cards - jusben1369
http://blog.spreedly.com/?p=201

======
JimmaDaRustla
Awesome! I imagine this would allow you to use your own merchant services
provider instead of paying fees for companies like Stripe. Although, if I have
to do online payments in the future, I may use Stripe for ease of use.

The power of this allows companies to use merchant services available to them
without having to worry about PCI compliance!

------
JoelJacobson
Cool idea, but something which would be even cooler would be a PCI-DSS
compliant "pci-blackbox" which is an isolated open-sourced component you can
run in an Amazon EC2 instance, which can store all your encrypted sensitive
card data.

That way, you wouldn't rely on any third-party provider, such as spreedly.com.

~~~
tantalor
Does PCI compliance apply to software or the operator?

In your EC2 example, does it suffice to say "this software is PCI compliant"?
Or do you and Amazon need to be PCI compliant?

This is one of the things that freaks people out about putting sensitive
information in the cloud.

~~~
JoelJacobson
Yes, Amazon is PCI-compliant,

[https://aws.amazon.com/security/pci-dss-
level-1-compliance-f...](https://aws.amazon.com/security/pci-dss-
level-1-compliance-faqs/)

This means part of the work is done. Then if the isolated pci-blackbox you are
using is also PCI-compliant in how it deals with card data, encryptions,
hashes, etc, then what is left is not much, basically mostly documentation,
routines in place, etc.

I would say you could probably get down to 1% of the normal work of becoming
PCI-compliant by, a) Getting rid of the whole hardware part of the problem, by
using EC2 and free-riding on the work already carried out by Amazon. Just make
sure to use Two-Factor Authentication to access your EC2-instance.

b) Use a open sourced PCI-compliant isolated component which only handles the
two bare-minimum features it needs to do, which are "encrypt and store card
data" and "decrypt card and process payment via PSP".

------
lucaspiller
This is the first time I've heard of Spreedly. I'm not 100% sure what it is,
but it sounds interesting. At the moment we are looking to move from one
payment gateway to another (both supported by Spreedly), am I correct in
saying that if we were using Spreedly we could do so without changing our
application?

~~~
jusben1369
Correct. It would just be a matter of switching out your payment gateway
credentials. Of course, the assumption is that you were with us from the start
or long enough that we had vaulted your cards. If you're doing a net change
over we'd have to get your cards from your payment gateway (which per the post
they may or may not allow)

------
workhorse
I have been waiting for something like this.

I hope they are working on a JS integration like Stripe has though.

A form POST as their method of integration reduces my confidence level a bit.

~~~
jeffasinger
Why the reduced confidence? Wouldn't a Javascript solution involve sending the
same information via a HTTP POST?

