undefined | Better HN

0 pointswepple7y ago0 comments

I’m curious, what’s wrong with storing this type of data in a cloud provider?

Also, security aside wouldn’t a16z have invested because the business isn’t “do it more securely”, but “outsource PCI compliance entirely”?

0 comments

raesene97y ago

If by outsourcing PCI compliance entirely, they mean "ensure you don't store cardholder data by tokenizing it and we store the real stuff" this is very much not a new solution, so I'd struggle a bit to see the value of a new entrant.

There's already quite a few payment gateways where an e-commerce site can iFrame the payment page (or similar) to ensure that they never see the real cardholder data.

(the fact that this shouldn't really make them out-of-scope for PCI is a different problem)

twelve407y ago

This is not a payments gateway. We use them for something entirely different than processing payments or credit cards. I haven't seen a general PCI-compliant transparent PII tokenizer proxy service like that. If you know of one, let me know, maybe we'll even switch. But this is not a payment gateway solution, and it's offering many more use cases than an iframe or credit cards.

nodesocket7y ago

I can think of a few:

  1.) Shared resources, and exploits like meltdown and spectre 
  2.) Cloud provider employees potentially have access
  3.) Cloud providers are subject to law enforcement requests

However, there are benefits. Typically Google Cloud for example is going to have much better systems and security that a home-rolled data center setup. They've been working on it for years and essentially have unlimited resources (time and capital).

j / k navigate · click thread line to collapse