Another fine Munich evening. I was sitting in a small cafe near the opera house sipping an espresso and enjoying the last few fleeting days of a pleasant autumn evening before the cold of winter sets in. On the menu is the standard Bavarian fare along with a smattering of German, French and Italian wines and imported Italian coffee (honestly, I’ve become so addicted to this Lavazza Oro stuff that I now order it from Amazon instead of settling for any other brand). It seems so natural that all of these things could be found together in one of Europe’s great cities. So why does it continue to be more difficult to purchase things across geographical boundaries via a web site than through more traditional brick-and-mortar channels? Is eCommerce failing to live up to the promise it has for consumers across the continent?
Anyone who has ever been through the process of gaining PCI compliance for an eCommerce site can certainly understand the challenges and vagaries of successfully navigating the compliance process. Those who haven’t been through this, well, let me just say that the process is complex, subject to individual interpretation of PCI requirements and always takes longer to complete than estimated.
The process was much simpler when technology infrastructure was in-house, or at least in a dedicated cage in a third-party facility, and companies had complete control over what was running on exactly what servers and how those servers were connected to the outside world. In order to be competitive, companies began to switch to virtual machine based architectures which allowed a tremendous amount of flexibility but had the unfortunate side-effect of making PCI compliance even more difficult to attain, especially when it comes to knowing exactly where card holder data is stored.
In the current PCI spec (v1.2), there are certain challenges around using VMs but these are largely minimized if the VM infrastructure is completely owned and managed by the party seeking compliance. In today’s world of on-demand computing, particularly for eCommerce sites that have short-duration traffic peaks, using cloud services such as Amazon EC2 is an efficient and cost-effective solution. Moving an application that processes card-holder data from a privately managed environment to a third-party cloud is fraught with PCI issues.