
CloudFlare is PCI certified - jgrahamc
http://blog.cloudflare.com/cloudflare-is-pci-certified
======
rdl
This is pretty important for a network service which is inherently inline for
all your traffic. It isn't so important for something like a video cache
(which I don't think CloudFlare even supports), but for DDoS protection and
services like that, I don't think I'd want to use a non-PCI certified service
even if I weren't required to.

~~~
nknighthb
> _a video cache (which I don 't think CloudFlare even supports)_

Why wouldn't it?

Here's your basic HTTP Live Streaming server, it can serve VOD or live events
to dozens, perhaps hundreds of users:

cd /path/to/video/and/m3u8 && python -m SimpleHTTPServer 8000

Done.

CloudFlare caches HTTP objects, therefore CloudFlare caches video.

~~~
jacquesm
Except that according to [https://support.cloudflare.com/hc/en-
us/articles/200168476-H...](https://support.cloudflare.com/hc/en-
us/articles/200168476-Hosting-Partner-Frequently-Asked-Questions) that isn't
true:

CloudFlare is not suitable for websites that stream video or audio directly
from their origin server. If a website uses YouTube or Vimeo for the videos
embedded on your website, then that is compatible with CloudFlare. Streaming
content should be on a subdomain CloudFlare doesn't touch, if a customer would
still like to speed up the rest of their site.

------
pothibo
How serious is that certification? Is it a bureaucracy certification with some
vintage requirements or is it something that keeps adapting to the changes in
the technology environment?

~~~
falcolas
PCI is a voluntary certification which is more or less toothless. You can pass
a PCI, and still be terribly vulnerable in a myriad of ways.

Also, PCI certification of the environment doesn't make you, the end user, PCI
certified.

~~~
adrr
PCI is always done on scope. What part of system the PANs are touching. So
your CDN is just one part of where PANs can pass through and next is the
system that sends it out to the network. And if you store the PAN, then the
DB.

Also is not voluntary, your merchant account will enforce it. PCI is all self
assessment till you hit level 1, then you have to bring an auditor in and
they'll go over all your systems that handle the PANs and ensure they are PCI
compliant. Its not an easy task. PCI 3.0 is coming out with helps deal with
target like breaches which ensures compliance continuity, so its no longer a
point of time like the past.

------
grandalf
This is great news, but it does not necessarily mean that an e-commerce site
hosted on CloudFlare can be PCI DSS 3.0 Level 1 compliant.

Also, it quite likely does not mean that (as of Jan 1 2015) any e-commerce
site hosted on Cloudflare will be able to pass the PCI DSS Level 3 SAQ A-EP.

------
god_bless_texas
I thought PCI DSS 3.0 was the new standard?

Isn't certifying to 2.0 like saying you're Windows XP certified?

~~~
WatchDog
PCI DSS 3.0 is a mess at the moment. Under PCI DSS 2.0 merchants can relieve
most of their PCI DSS burden simply by ensuring that the infrastructure and
services that process those payments are PCI certified. The simplest way to do
this is simply redirect the customer to a PCI certified payment gateway.

PCI DSS 3.0 is much more broad and ambiguous, the current interpretation seems
to be that every aspect of a merchants website and infrastructure needs to be
PCI compliant, regardless of if it ever sees a credit card or not.

The reasoning for the changes seems to be an increased number of compromised
websites that would normally not accept credit cards directly, but once
compromised the intruder can modify the website as they see fit and fool
customers into providing card details.

As you can imagine, the amount of work and money it would take to certify
every aspect of a merchants web infrastructure is prohibitive, as a result
until more clarification arises around the requirements, QSA's are
recommending qualifying under PCI DSS 2.0 rather than 3.0.

