PCI Compliance in Cloud hosting @ Rackspace Unlocked 2014
Last week, I was been invited to present a case study about PCI Compliance in the Cloud as part of the eCommerce track at the Rackspace Unlocked 2014 conference in London.
The conference aimed to explore the various innovations and challenges brought by Cloud Hosting. I decided to present a case study on PCI compliance, which directly relates to hosting and security topics.
PCI Compliance
To give some background information about the topic, let me explain more about PCI... PCI SSC stands for "Payment Card Industry - Security Standards Council". It is an international body which was formed in 2004 to manage the industry and provides a framework, tools and measurements to help merchants and service providers handle cardholder information safely.
The council has defined the PCI DSS "Data Security Standard", which exposes the requirements and rules for merchants and providers (including prevention, detection and appropriate reaction to security incidents). There are 4 levels of compliancy and the scope is defined mostly by the number of transactions processed and the type of technical integration being performed (i.e. are you storing the card details in your own database).
Our Case Study - dlc payment portal
From our work at Cyber-Duck, The most relevant case study to present at the conference was the project we complete for our client dlc. dlc is one of the largest debt collection companies in the UK, and they approached us to develop a new customer payment portal (the interface allowing users to pay their debts online).
As the portal was processing live card payments, PCI compliance became a crucial requirement. The volume of transactions processed was a bit of an unknown at the early stages, but we knew it would grow over time, as this self-serve portal would be so useful to end users.
We therefore decided to use Sage Pay's Server inFrame technology as it eliminates pretty much all requirements for strict audits and compliance towards PCI DSS. The iFrame-based solution means that the actual form where the users enter their card details is hosted by Sage Pay, with all data stored on their servers. Our application only interacts with Sage Pay by sending the users details and amount to pay, receiving back the status of the payment (approved, declined) with extra security details (address validation, CV2 validation, 3D secure validation) once the user submits their card details. At no point in the process does our application needs to store any card details. This simplifies our coding / testing, and the level of compliancy to acquire is minimal; it only requires completing a self-assessment form, and quarterly vulnerability scans.
This option also allows us to deliver a great user experience to end users, as it is embedded in the main dlc website, so they never leave the site, even through to the checkout stages; similarly, it matches their style and branding, to increase trust.
Cloud Hosting Security
The quarterly vulnerability scans required are performed by Security Metrics, using the industry-standard CVVS scoring system to report on potential issues. The online tool will report any issue above the score of 4 which would fail the compliancy requirements. It gives us enough details to update or upgrade the section of code or server/firewall settings to block these vulnerabilities.
To manage all these settings and security requirements, we used the following architecture, and would recommend that any similar project does the same:
- a Load Balancer with SSL certificate, to encrypt all comms between the user and the entry point to the servers
- a (or multiple) High Performance Cloud Server instance(s), running IP Tables firewall (or ufw), with all monitoring tools delivering alerts on high loads or failure and a daily backup of the full image
- a Cloud Database instance, restricting access to it from the web server (no public IP, no access from the outside world), including backup.
The end result has been live on https://mydlc.co.uk since the end of 2013. We have seen usage growth of more than 200% compare to their previous systems, and over 65% of all payments are processed via mobile and tablets devices, which confirms our strategy of delivering Response Web Design on all projects for our clients... you just cannot ignore anymore the mobile traffic trends anymore!
A full set of my slides about the case study are embedded below, or available online:
Other interesting topics from the conference
After giving this talk, I got the chance to attend to rest of the presentations. Cloud Trainer Nikki Tirado performed a live demonstration of Rackspace's AutoScaling features. This is a useful feature that allows you to schedule spinning up new server instances when a peak of traffic is expected. This requires a load balancer to direct the traffic, but the schedulers automatically add or remove server(s) to handle the extra load during the defined periods.
However, for small business and start-ups, those peaks of traffic are not always "expected" and cannot be scheduled. This can be accounted for by Simone Soldateschi, who wrote a script that uses the Rackspace Cloud API to retrieve metrics of the server health (CPU usage, disk space), then calls up the AutoScaling tools to generate the new servers automatically to handle any increased number of visitors. This will cover cases where a new product gets picked up by a popular blog or goes viral on social network without much control from the provider! I cannot wait for this script to be released in open source later this year
Soasta also demo'd their software used to find out what would be the requirements of your Cloud infrastructure. Using a incremental load testing script, the software was tracking in real time the errors happening as the traffic increased. By determining the "breaking point" of your site in terms of traffic it can handle, you can then make decision on optimising the resource-intensive processes and better configure your auto-scaling policies (to handle those peak of traffic). We only had a brief demo of the software and I did not use it in production myself, so I cannot comment further... but it seemed pretty useful!
Towards the end of the day, I managed to attend the "Big Data" track and learn a bit more about Hive and Hadoop which Rackspace are starting to support. Big Data has been buzzing for years and it will be good for Rackspace (and other providers) to make this more accessible to smaller businesses in the Cloud. They are working with HortonWorks who provide the data platform and support of the software.
Overall, it was a very good day, promoting the Rackspace products and services to partners. By sharing our case study, it gave us some time to discuss with other businesses about their experience of the Rackspace and hosting challenges in general, which I’m sure will be useful for future projects!