Awesome! I imagine this would allow you to use your own merchant services provider instead of paying fees for companies like Stripe. Although, if I have to do online payments in the future, I may use Stripe for ease of use.
The power of this allows companies to use merchant services available to them without having to worry about PCI compliance!
This is the first time I've heard of Spreedly. I'm not 100% sure what it is, but it sounds interesting. At the moment we are looking to move from one payment gateway to another (both supported by Spreedly), am I correct in saying that if we were using Spreedly we could do so without changing our application?
Correct. It would just be a matter of switching out your payment gateway credentials. Of course, the assumption is that you were with us from the start or long enough that we had vaulted your cards. If you're doing a net change over we'd have to get your cards from your payment gateway (which per the post they may or may not allow)
Cool idea, but something which would be even cooler would be a PCI-DSS compliant "pci-blackbox" which is an isolated open-sourced component you can run in an Amazon EC2 instance, which can store all your encrypted sensitive card data.
That way, you wouldn't rely on any third-party provider, such as spreedly.com.
You have all of the downsides of rolling your own (liability wise) and none of the upsides of using an IPSP (also liability wise), on top of that you'd have an auditing problem. (I presume 'black box' means 'box that performs a service that you can't open up to inspect').
What you are essentially looking for here is called type certification, but type certified hardware is on small to medium volume much more expensive than a service would be. And once you hit larger volumes you're going to be hooking up a much larger number of payment options and your 'black box' will solve only a (small) subset of your needs.
This doesn't solve any of the issues associated with PCI compliance.
Namely - you still have the liability, you still have the maintenance and upkeep of the system, you still have to pay for certification
The only thing it takes away from you is building the system which, on time and materials basis, is not even close to the real cost of maintaining a PCI compliant system.
This means part of the work is done. Then if the isolated pci-blackbox you are using is also PCI-compliant in how it deals with card data, encryptions, hashes, etc, then what is left is not much, basically mostly documentation, routines in place, etc.
I would say you could probably get down to 1% of the normal work of becoming PCI-compliant by,
a) Getting rid of the whole hardware part of the problem, by using EC2 and free-riding on the work already carried out by Amazon. Just make sure to use Two-Factor Authentication to access your EC2-instance.
b) Use a open sourced PCI-compliant isolated component which only handles the two bare-minimum features it needs to do, which are "encrypt and store card data" and "decrypt card and process payment via PSP".
There are different compliance standards for different types of companies. PCI-DSS, PA-DSS, PTS,ASV, and a couple of others. It's determined by what it is you do with the data.
For instance, my company has software that deals with CC info (PA-DSS), hardware that does (PTS), and we store customer CC data (PCI-DSS).
Make no mistake, PCI compliance is not easy and you have to take it seriously.
The power of this allows companies to use merchant services available to them without having to worry about PCI compliance!