On 23/08/2010, at 10:43 PM, Kieran Kelleher wrote: > ... > > As he said, and based on our average transaction of about $100, "If we get to > a level one, we will have enough money to have an OC3 pipe, all the equipment > we need and a full IT department!" .... :-)
That's a good problem to look forward to having :) > Based on some other internet "research", a possible approach to deal with > this scenario might be building a hybrid cloud architecture having most of > the deployment in the could while having a separate secure webservices > application hosted physically and securely inhouse for storing the encrypted > cc records and processing the credit card transactions themselves. The > remote apps would merely send a request to that internal webservices app > where the request might have the CCInfo PK and an transaction amount/id for > processing, the cloud app would ping cc webservices app every few seconds for > transaction status and finally get the result. Such an approach would > compartmentalize PCI in a manageable way it would seem. Of course credit > cards would still be submitted through forms in the cloud app, but never > stored there, from there it would be encryption of the cc info and > transmission back to the internal webservices app for permanent storage and > or requests to perform cc transactions. To achieve what I think you are trying to do, you would need to ensure that the cloud app never has access to unencrypted card data. ie. you should collect and encrypt the card data using a form on your inhouse servers. It's ok for the cloud app to handle the encrypted form of the data, provided it has no way of decrypting it. If the cloud app collects the card data, it doesn't matter if you store it or not, the potential risk of it being exposed by the cloud infrastructure is present. One approach might be to collection the transaction details (amount, etc) in the cloud app, hand off the user and a token to the transaction to your inhouse app, collect the card data and process the transaction, update the transaction status, hand the user back to the cloud app. It's a similar model to what many banks and the likes of paypal use for handling card processing, your main app never needs to know the card details, only that the payment process was successful, keep the two operations at arms length. -- Seeya...Q Quinton Dolan - [email protected] Gold Coast, QLD, Australia (GMT+10)
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list ([email protected]) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archive.com This email sent to [email protected]
