Cloud Services and e-Commerce

A pretty big thing at work is the Payment Card Industry Data Security Standard, hereby referred to as PCI-DSS. It is a set of fairly strict security requirements that anybody wishing to do anything with processing credit cards must abide by. The standard can be summarized with simple rules like have a secure network, do not store things in plain text, use virus scanners and intrusion detection systems, etc.

Every year, the Payment Card Industry Security Standards Council (PCI-SSC) sends a Qualified Security Assessor (QSA) to assess the network for agreement lapses (ANAL). This costs the company millions of dollars on equipment like full-disk encryption, intrusion detection systems and tons of person-hours, but ultimately makes your credit card information safer. Aside from that, there is a fine on the order of $100,000 per month for not being compliant and there is a risk of losing the ability to run transactions at all (although given the volume of transactions that Fiserv does, I would imagine that number might be even larger).

The e-Commerice business has exploded in my lifetime, continues to do well in this economy and is not likely to ever stop growing. On a directly related note, more and more people are building web sites and selling things over the internet. Of these, very few meet PCI-DSS. It shows, too -- around 80% of unauthorized credit card transactions involve small merchants. Many small businesses do not bother with compliance and live with the fines because it is actually cheaper than trying to secure everything (and less effort).

And why should the bother trying to meet some ridiculous standard? It is so easy to hook up transaction processing to your little web server (violation), on the same network you give your employees WiFi with (at least 3 violations), store that information for future use (violation)...well, you get the idea. It is completely unreasonable to expect people to actually read the rules, much less understand them. Even if vendors made perfectly secure software (they don’t), you cannot expect every client to know how to set up an intrusion detection system or have in-depth knowledge of what a good security policy is. You can not even trust that the virus scanner is up-to-date.

Those are the kinds of e-Commerce businesses whose security would benefit the most to moving to a more secure infrastructure like Amazon EC2 or Google App Engine. Not only would the system be more secure, but there are tons of other benefits from maintainability to flexibility. If somebody had a little Python or Java module to drop into a Google App Engine web project, I can almost guarantee that the site would be more secure than if the developer had done the same thing on Bob's Server Farm. But, nobody writes generic cloud-based point-of-sale software. Why? Because it would be impossible for it to meet the PCI compliance standard.

The reason is section 12.8.2 of the PCI-DSS:

Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

And 12.8.4:

Maintain a program to monitor service providers’ PCI-DSS compliance status.

In short, the cloud service provider must maintain their PCI stamp of approval and they must shoulder some of the responsibility. That rules out Amazon’s EC2: their service agreement specifies that they will take no responsibilities whatsoever. Google says the same thing about App Engine. Microsoft takes a similar stance with Windows Azure (I would link you, but they only offer the ToS in Word documents, which is completely brain-damaged). None of these cloud computing platforms is going to take on the liability of meeting the PCI specification and it is likely that they never will.

Does this mean that cloud computing and e-Commerce are destined to never meet? Not quite - there is always going to be Google Checkout and PayPal. Both of them have very customizable shopping cart implementations and are fully qualified to process credit card transactions. At that point, you are going to have to live with the fairly significant surcharge associated with those services.

Unfortunately, that appears to be the very limit of what is possible on any cloud system. The only possibility of moving away is for a developer to roll their own PayPal which resides on their own PCI-compliant infrastructure. The funny thing about doing something like that is that such a system would probably be less secure than running the same system on the public cloud. Essentially, one would be providing software as a service (SaaS) to a platform as a service (PaaS) on an infrastructure as a service (IaaS) (side note: aren't web acronyms fun?).

Another big issue with providing shopping cart functionality through any PayPal-like system is that it limits you to the web. This is a real shame because the internet has so much more potential. A piece of software like Steam could not exist on the cloud without some extremely clever single-sign on (SSO) hacking. Of course, once you are to the level of a desktop application, you are free to make multiple calls to places all over, but that is a really bad security practice.

My ultimate question is: Who will break, the PCI or a cloud service provider? I very much doubt that the PCI-SSC is going to quickly change their stance on anything, since, like any standards body, they are extremely slow to react (they do not address plain-old virtualization yet). Will one of the existing cloud service providers step up an become PCI-compliant? I highly doubt this as well.

My money is on the problems being solved by Google Checkout, PayPal or some new, but similar, service. I would love to see a web service-based alternative to those services. Combined with the emerging OAuth 2.0, developers could do whatever they want and have it all bundled up in a nice secure package. I really think there is a market for this -- it would open up these fun new elastic hosting solutions to all the Web 2.0 connectivity we have come to love. There is money to be made and it's all pretty exciting.