
AWS Achieves PCI DSS 2.0 Validated Service Provider Status - bpuvanathasan
http://aws.typepad.com/aws/2010/12/aws-achieves-pci-dss-20-validated-service-provider-status.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+AmazonWebServicesBlog+(Amazon+Web+Services+Blog)
======
sachinag
I ran down the implications of this: [http://blog.meatinthesky.com/pci-
compliance-in-the-cloud-thi...](http://blog.meatinthesky.com/pci-compliance-
in-the-cloud-this-changes-ever)

~~~
storborg
You seem to assert that almost every startup that accepts credit cards is not
PCI compliant, and further, operates on an environment which at times in the
past has been known to be moderately insecure (e.g. hypervisor attacks).
That's a pretty bold claim. Do you have any evidence to back it up? (e.g. name
companies which are knowingly operating without PCI compliance when they're
required to have it)

~~~
sachinag
I'm saying every startup that hosts their checkout pages in the cloud is - by
definition - in violation. If you know a startup that accepts credit cards and
doesn't have the secure server that accepts the credit card input on a rack
somewhere - whether in their office, in their apartment, in a colo, or
whatever - then that startup is, _by definition_ , not PCI compliant.

There is a simple and easy way to get into compliance without moving your host
- use hosted payment pages. PayPal, Recurly, Braintree, and the other top-tier
providers all have hosted payment pages.

Every startup I have been employed by or consulted for w/r/t payments either
has a physical box or uses hosted payment pages.

~~~
storborg
Right, so do you know of any that are in violation?

I know of a bunch of startups that use a hosted page (e.g. Paypal, Google
Checkout, authorize.net SIM, whatever), and a bunch of startups that host
their main site in the cloud but have a physical server for accepting CCs, but
I don't know of any that accept CCs directly on a VM. I'd be pretty surprised
to hear about it.

------
harper
This is great. I can't wait for the other vendors to follow suit.

