Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Rackspace Unlocked 2014 - Cyber-Duck's PCI Compliance Case Study

1.717 Aufrufe

Veröffentlicht am

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Rackspace Unlocked 2014 - Cyber-Duck's PCI Compliance Case Study

  1. 1. BUILDING A PAYMENT PORTAL IN THE CLOUD 12 May 2014 A case study from Cyber-Duck Ltd
 Presentation at Rackspace Unlocked
  2. 2. Hi. I am Sylvain Reiter Co-Founder and Development Director @sylvainreiter
  3. 3. PCI Compliance in the Cloud Case Study from dlc Project methodology Technological decisions Results
  4. 4. PCI Compliance… Introduced in 2004 as a global body, today PCI DSS 3.0 Enforces data security and fraud prevention Affects all business processing payments (merchants & service providers) 4 levels of compliance
  5. 5. … in the Cloud Still early days Rapid technological changes Best suited for demanding systems Flexibility of use ready for production applications logicworks.net
  7. 7. Requirements Gathering Make sure you involve ALL stakeholders Document expected outcomes for all flows Take an agile approach to the timeline Define business and technical requirements early
  8. 8. User Experience Phase Make informed decisions via historical data analysis Mock up user journeys on ALL devices Iterate the prototype with real users’ feedback Carefully optimise the copywriting and ‘Call to Actions’
  9. 9. Technical implementation (1/3) Select a proven and secure framework We picked the PHP 5.4 Laravel framework Take an API-driven approach to ensure modularity and easy exchange with external systems We used industry standard REST-ful API and XML/JSON
  10. 10. Technical implementation (2/3) Ensure you have robust and accurate data We validate every customer record with the back-office system Store user details as per the Data Protection Act We only store the users’ details during the checkout process
  11. 11. Technical implementation (3/3) Delegate PCI to the experts We use SagePay’s iFrame technology, shifting responsibilities Add rigorous rules to the payment gateway’s settings We enforce 3D secure validation and recommend manual due diligence if addresses mismatch
  12. 12. Hosting platform features Do not compromise on flexible and secure partners We use Rackspace’s High Performance Clouds Delegate the technical support to the experts Rackspace’s Monitoring tools and Fanatical Support gives us and our client 24/7 piece of mind
  13. 13. Hosting platform security PCI compliancy requires quarterly vulnerability scans Security Metrics handle scans and reports on issues Private Clouds and Firewalls are protecting the data Database server is not accessible from the outside world, IPTables firewall restricts access to API endpoint.
  14. 14. THE RESULTS
  15. 15. 4 months post launch… 100% uptime on the platform over 10,000 transactions (228% increase from pre-launch) 40h of agent time per month saved (calls & admin time) Great customer feedback, 44% via mobile Ongoing improvements and new feature developments