I'm helping a client evaluate a different architecture for their site. At the moment they have a managed dedicated server hosting a site that accepts credit cards for certain transactions. I'm wondering if it's possible to store tokenized payment data in a cloud-hosted database or whether this is not PCI-compliant.
Having recently experienced a catastrophic loss of all data, the client learned that their contingency plans were too slow -- they lost 24 hours of data because of the slow data restore procedures. We have started to discuss the possibility of using Rackspace's cloud products to host the site. E.g.:
option 1
application (the php website) runs on a Cloud Server
database hosted by Cloud Database instance.
* another Cloud Server performs image import routines with partner sites (must talk to database and deliver resized images to a content delivery network)
The problems with this option are that:
1) rackspace says that Cloud Servers are not PCI compliant, presumably because they run on shared hardware. I've been told that these cloud servers are therefore "not auditable" or something.
2) while we do not store any credit card numbers in our database, we do store tokenized references to this information. That is to say we store a customer profile id (customer id) and a customer profile payment id (customer credit card id) that correspond to data stored by our transaction gateway provider. These tokenized references are meaningless integers unless you also have the account id and api transaction key we use to interact with our transaction gateway. If you have both the api credentials (stored in a php file on our application server) and the tokenized account references, then you can actually take people's money.
Because Rackspace says the cloud servers are not PCI-compliant, this suggests we can't use option 1 because we would be using a Cloud Server to terminate our HTTPS connections and collect credit card data.
option 2
dedicated managed server hosts application server
database either Cloud Database service as above OR we host mysql on the dedicated server with a Cloud Server replicating the live data as a slave
* Cloud Server performs image import routines blah blah blah
In this situation, we'd still have dedicated/managed hardware aso our HTTPS endpoint and would therefore be pci-compliant in that respect, but we are still storing this tokenized customer payment data in cloud (i.e. shared-hardware) environments. Is that acceptable? Is this tokenized data considered "sensitive" ?
Any thoughts on PCI compliance are welcome. Any thoughts on the data pathways in the above architecture are also welcome.
