5

I have read a few articles that say in order to have a PCI compliant cloud solution you need to have a private cloud environment and cannot use google app engine. Is it possible to create a PCI compliant website that specifically stores credit card information and personal user data in a google app engine application. Please list factual, non esoteric reasons why this may not be possible or a list of high level tasks directives that would need to and can be done by an app engine developer.

MindWire
  • 3,969
  • 7
  • 34
  • 46
  • You are better off asking the folks at GAE than us. IMO storing credit card data on a public cloud based hosting environment is not a secure nor should it be a desirable solution. It may be possible however to work with a PCI compliant merchant processor and allow them to deal with the headache of securely storing CC numbers. The PCI compliance requirements are much less stringent if you are merely passing credit card data along to a merchant processor rather than store it. I will be interested to see what answers others have to share. – maple_shaft Jan 20 '12 at 14:56
  • I will see how the thread goes here before bumping up the question to the GAE team. Our needs require us to store card data for future use, although we only store it to later pass it along to PCI compliant processors. We are actually reviewing token options (they store it, we have a key to reference it) with the processors at present, but I still felt this question was worth asking the SO community at large. – MindWire Jan 20 '12 at 15:09
  • 1
    It is a good question, I just don't feel qualified to answer it. We are currently using the token option but we STILL aren't PCI compliant because of lazy security policies by the data center of our hosting provider. Your hosting provider has to be able to prove certain security policies and measures for even a token-pass system to be compliant, so it may be entirely out of your hands. We are currently looking for new hosting and we were curious about the benefits of cloud hosting as well. No matter what you do however, your hosting provider has to claim support of PCI compliance. – maple_shaft Jan 20 '12 at 15:20
  • "No matter what you do however, your hosting provider has to claim support of PCI compliance." ... sounds like a show stopper for google app engine for now. – MindWire Jan 23 '12 at 21:30

3 Answers3

1

It might be interesting to know that Google Cloud Platform has recently became PCI DSS certification. Since Google App Engine is build on it I assume it should be "safe" to use it as well.

dim
  • 179
  • 6
1

"No matter what you do however, your hosting provider has to claim support of PCI compliance."... per @maple_shaft

MindWire
  • 3,969
  • 7
  • 34
  • 46
1

Doing PCI compliance all by yourself is woefully difficult. The details are available here.

The most common pattern for payments on App Engine is to utilize a payment gateway which bears the onus of PCI compliance.

Typically, these services provide you with an authorization token to correlate with users that you can use in order to create payments.

Popular Python Gateways

Here are some links to payment gateways to get you started.

  • Braintree, I have used this in production on app engine and it works great
  • Stripe, a new-comer to the field which looks really promising.
mvanveen
  • 9,754
  • 8
  • 33
  • 42