Mosso’s disingenuous PCI-compliance claim
I’m a big fan of RackSpace and their Mosso product. The Mosso team has done a great job by continually tweaking their products to add more functionality and value. They have made intelligent purchases (JungleDisk/SliceHost) and are using their considerable resources to make a lasting impact on the cloud computing landscape. I’ve had the pleasure of working with some of their smart, passionate employees (Rackers) and can personally vouch for their fanatical service. My company, ServiceCloud, has been a RackSpace partner for a couple of years and, when the fit makes sense, we proudly recommend RackSpace/Mosso to our clients.
That being said, I’m disappointed in Mosso for putting out a more-hype-than-substance announcement. Mosso recently announced that they’ve enabled one of their clients to be PCI-compliant on the Mosso cloud. When I saw this, I wondered how it was possible, but as I read closer it became clear that it was just a trick! It seems that their “PCI-compliant” solution requires Mosso not to store any information that requires PCI compliance. Instead they offload the burden of compliance to a third-party payment gateway (Authorize.Net). Chris Hoff and Craig Balding have written excellent articles explaining this trickery.
While what they say in the announcement is technically true, it’s misleading at best and does the fine team at Mosso/RackSpace a disservice. There is enough hype in cloud computing. We expect more from a market leader like Mosso. They clearly don’t need to stretch the truth in order to make news…they should just talk about their real accomplishments.
Update: The General Manager of Mosso, Emil Sayegh, pinged me on Twitter and mentioned that Greg Hrncir, Mosso’s Director of Operations, responded to the criticisms on Craig’s site. There also seems to be a healthy back-and-forth at Hoff’s site. It’s great to see that Mosso is interested in having a dialog about this issue and I’m looking forward to see how this unfolds.
Thanks Ben for all the compliments, and sincere feedback. We take it to heart. I assure you that we are being transparent, and we made no unfounded claims here. However, It is not a simple feat to get a Cloud Platform to do this.
For reference, this is the reply from Greg that was posted on another blog that raised the same issues as yours. We are happy to talk to you about it as well. We are always open for dialogue, and feedback.
“As you clearly state, we (Mosso) were very transparent in indicating what information is stored on our Cloud and what is not.
The truth is that we are the first Cloud, that we know of, that enabled its Cloud customers to gain PCI compliance using multiple technologies. The future of Cloud technologies is full of these types of hybrid solutions that combine the best of both worlds. The goal for a customer and online merchant, is to get PCI compliance, not be purist in terms of technology. On line merchants want to leverage the Cloud for scaling, and this is a good way to do it by combining both worlds.
The fact that some people knew it was possible, but not executed should not take away from the fact that Mosso was the first one to bring it to market, and execute. A lot of work had to go on from the Mosso side to enable this. There was work involved with the payment gateways to find the best solution for our customers. Also there was work involved with our system to demonstrate compliance with the merchant perimeter scans, something that no other cloud provider has done, to the best of our knowledge.
We are very pragmatic in our approach, and will use the best of both worlds (Hybrid: Cloud/Dedicated) to bring solutions to our customers that can help them, today.
I hope all this helps. Thanks again, and let us if you have further questions. My email is ghrncir@mosso.com.
Greg Hrncir (ghrncir@mosso.com)
Director of Operations
Mosso | The Rackspace Cloud”
As always Ben, or anyone with more questions can also feel free to reach out to me.
Emil Sayegh,
General Manager
Mosso | The Rackspace Cloud
(esayegh@mosso.com)
Emil Sayegh
15 Mar 09 at 9:53 pm
Thanks Emil for the response and thanks for the openness!
I see where Mosso is coming from. I understand the complexities of getting PCI compliance as I’ve had to go through that process in the past. My main point is that when the vast majority of developers (your core business) see the words “PCI-compliant”, they expect either the storage, transfer, and processing of credit card information to be within your platform…and truthfully, none of that is actually taking place there. Of course, it took work to identify a PCI-compliant solution and then comply with the perimeter scans. I salute you and your team for finding this hybrid approach. I believe the tone of the original posting especially the headline would mislead the majority of developers that Mosso as a standalone entity is PCI-compliant and that’s what I and others have been calling out.
Thanks once again for your openness. If I have any further questions, I’ll definitely be in touch. Feel free to post a response if you wish.
Ben
ben
15 Mar 09 at 10:54 pm
This statement
“The truth is that we are the first Cloud, that we know of, that enabled its Cloud customers to gain PCI compliance using multiple technologies.”
should be stricken and never used again. Offloading the PCI-compliant parts of a solution onto a different offering does NOT mean that your cloud offering has ‘enabled’ anything. The cloud part of the solution may be passing the perimeter scans, but ANY offering can be made to do that – including shared hosting – so that is not an earth-shattering claim at all. In fact, using the same terminology, I can post something to the effect of “XYZ webhost has worked with client ABC to enable PCI compliance on their shared hosting platform”.
Technically true? Not really. Misleading? Definitely.
Jamie
16 Mar 09 at 11:35 am
I just wanted to say that from a business perspective, Mosso’s solution is a perfect fit for us.
Truth be told, we previously used a hybrid solution like the one we are using at Mosso with a dedicated server. From our perspective, this was an expensive solution that was not scalable and required us to maintain the server ourselves, as well as pay for excess capacity.
While Mosso’s solution may not be appropriate for large enterprises, it works for us. The stumbling block we encountered with our desire to move into cloud hosting was passing the vulnerabilty scans. Mosso’s platform let us do that.
It is true that the technology is not new. I think what is new is that we asked Mosso to “fix” the vulnerabilities found in our ASV scans and they worked with us to do so. They also detailed a specific set of steps for other e-commerce to follow in order to pass the scans and become compliant.
Previously, from a business perspective there was a thought that one had to use a dedicated server (even if using a hybrid solution like the one described by Mosso) in order to pass the ASV scans AND allow for some level of scalability and traffic spikes. This solution provided by Mosso let us move from a dedicated solution to a more cost-effective and scalable one.
It may not be a new technology but the ability to use some solution other than a dedicated server was new for us from a business standpoint.
Best regards,
Philip Murphy
VP Operations
The Spreadsheet Store
Philip Murphy
16 Mar 09 at 1:27 pm
conectmobility e2c for windows mobile http://www.orderphonetoday.com/touch-screen-category2.html mobile home sales in benson az [url=http://www.orderphonetoday.com/page2.html]web redirects mobile password[/url] deer valley mobile home manufacturers
ralImmeliagah
13 Feb 10 at 11:12 am
Sick and tired of obtaining low numbers of useless traffic for your site? Well i wish to tell you about a new underground tactic that makes myself $900 per day on 100% AUTOPILOT. I possibly could be here all day and going into detail but why dont you merely check their site out? There is a great video that explains everything. So if your serious about making easy money this is the site for you. Auto Traffic Avalanche
Juana Fupocyupanqui
30 Aug 10 at 5:19 pm