
Amazon Confirms EC2/S3 Not PCI Level 1 Compliant - nreece
http://developer.amazonwebservices.com/connect/message.jspa?messageID=139547#139662
======
jrockway
Hopefully this will discourage people from storing credit card data. I would
much rather buy something from you via Paypal, Google, or Amazon than give you
my information directly. It is easier for me, and safer for you.

------
mahmud
It's clearly specified in the requirements that you need a dedicated host, and
if you want to do Sarbanes Oxley or HIPAA compliance you will need your server
to be in a certified data center.

No VPS account can every qualify, and that's the reason why we're on a $500+
standalone host at some fed-approved data center instead of getting the
bigggest bang for our buck and getting a slice or a linode account.

~~~
mseebach
Wouldn't it be pretty simple to provide this as a service? Even if you want
amazon-like "we stored your creditcard data" service, just have a third party
store them, and give you a handle for each card, that can only be used with a
specific merchant ID. That handle is worthless in the hands of a hacker.

If this doesn't exist, I smell an opportunity.

~~~
mahmud
_If this doesn't exist, I smell an opportunity._

You smell right.

<http://news.ycombinator.com/item?id=767509>
<http://news.ycombinator.com/item?id=765950>

Hello mseebach and welcome to the club, I am one of your would-be competition
;-)

I do it for healthcare records, credit card records will require a change in
our press releases ;-)

~~~
mseebach
Sounds interesting.. I don't understand, however, how would your health record
services compete with a credit card processing service? Short of something
costing an arm and a leg? :)

But to recap the idea -- people become PCI certified because they need to
store a creditcard number for recurring charges. There are service for
subscription type recurring charges, eg. same amount every X period, but no
service where a credit card number can be stored and then charged an arbitrary
amount non-periodically? E.g. toll-roads with an RFID in the car, AWS usage-
dependant charges or Amazon-like "store-your-creditcard" webshops ..

Are there any other reasons to become PCI certified, short of actually being
in the CC business? I guess people are comfortable enough being redirected to
a payment window on a third party website, so transmitting is not an issue.

~~~
tjriley82
If you have a "continuous authority" facility enabled on your merchant account
you can make arbitrary charges on card numbers authorised and stored by your
payment processor. CA doesn't seem too hard to acquire, at least here in the
UK it was easier than we expected at worldonahanger.com. The downside with
this approach is that in the event that you want to switch payment processors,
you have to ask your customers to resubmit their card details for
reauthorisation (as far as I can tell).

~~~
mseebach
Yeah, that sounds about right. There's apparently also something called "pre-
registered card". So, no business idea here :)

EDIT: [http://www.braintreepaymentsolutions.com/credit-card-
storage...](http://www.braintreepaymentsolutions.com/credit-card-storage/)

------
jay_kyburz
Anybody have a good link about what PCI compliance is, why I need it and how I
get it?

~~~
charliepark
Braintree (a payment processor I use and highly recommend) has a number of
resources (videos, articles, etc.) at their blog
(<http://www.braintreepaymentsolutions.com/blog>). Look on the left-hand side
for the PCI-specific resources, or use the search bar on the right for their
blog archives.

------
seriouslyrad
I was about to point out what other people have too, why would you store CC
data? and if you did, you wouldn't even consider storing it in the cloud
anyway.

~~~
mgrouchy
One reason why a company would want to store credit card data is to make it
easier for returning customers to purchase things. Besides the fact that I am
paranoid, the reason why I don't keep my cc data with amazon is that I know
that if I log into my amazon account and all it takes is 1 click for me to buy
something I will be even poorer than I already am in no time.

People buy more stuff when you reduce the barriers of entry on a purchase.

Why you would store CC data in the cloud, that I don't know, but I guess if it
was a secure and reliable service,why not?

~~~
bensummers
If you want to do recurring payments, gateways will give you a transaction ID
you can store instead of the CC number. Then, when you want the next payment,
you give them the ID and ask for more money.

You don't have to store the details at all, but you can do everything through
your site without handing the user off to a third party.

------
ivankirigin
Ha! Goes to show that regulations don't mean much. I'm sure millions of credit
cards are stored in ec2.

