Truth be told, we previously used a hybrid solution like the one we are using at Mosso with a dedicated server. From our perspective, this was an expensive solution that was not scalable and required us to maintain the server ourselves, as well as pay for excess capacity.

While Mosso’s solution may not be appropriate for large enterprises, it works for us. The stumbling block we encountered with our desire to move into cloud hosting was passing the vulnerabilty scans. Mosso’s platform let us do that.

It is true that the technology is not new. I think what is new is that we asked Mosso to “fix” the vulnerabilities found in our ASV scans and they worked with us to do so. They also detailed a specific set of steps for other e-commerce to follow in order to pass the scans and become compliant.

Previously, from a business perspective there was a thought that one had to use a dedicated server (even if using a hybrid solution like the one described by Mosso) in order to pass the ASV scans AND allow for some level of scalability and traffic spikes. This solution provided by Mosso let us move from a dedicated solution to a more cost-effective and scalable one.

It may not be a new technology but the ability to use some solution other than a dedicated server was new for us from a business standpoint.

Best regards,
Philip Murphy
VP Operations
The Spreadsheet Store

“The truth is that we are the first Cloud, that we know of, that enabled its Cloud customers to gain PCI compliance using multiple technologies.”

should be stricken and never used again. Offloading the PCI-compliant parts of a solution onto a different offering does NOT mean that your cloud offering has ‘enabled’ anything. The cloud part of the solution may be passing the perimeter scans, but ANY offering can be made to do that – including shared hosting – so that is not an earth-shattering claim at all. In fact, using the same terminology, I can post something to the effect of “XYZ webhost has worked with client ABC to enable PCI compliance on their shared hosting platform”.

Technically true? Not really. Misleading? Definitely.

I see where Mosso is coming from. I understand the complexities of getting PCI compliance as I’ve had to go through that process in the past. My main point is that when the vast majority of developers (your core business) see the words “PCI-compliant”, they expect either the storage, transfer, and processing of credit card information to be within your platform…and truthfully, none of that is actually taking place there. Of course, it took work to identify a PCI-compliant solution and then comply with the perimeter scans. I salute you and your team for finding this hybrid approach. I believe the tone of the original posting especially the headline would mislead the majority of developers that Mosso as a standalone entity is PCI-compliant and that’s what I and others have been calling out.

Thanks once again for your openness. If I have any further questions, I’ll definitely be in touch. Feel free to post a response if you wish.

Ben

For reference, this is the reply from Greg that was posted on another blog that raised the same issues as yours. We are happy to talk to you about it as well. We are always open for dialogue, and feedback.

“As you clearly state, we (Mosso) were very transparent in indicating what information is stored on our Cloud and what is not.

The truth is that we are the first Cloud, that we know of, that enabled its Cloud customers to gain PCI compliance using multiple technologies. The future of Cloud technologies is full of these types of hybrid solutions that combine the best of both worlds. The goal for a customer and online merchant, is to get PCI compliance, not be purist in terms of technology. On line merchants want to leverage the Cloud for scaling, and this is a good way to do it by combining both worlds.

The fact that some people knew it was possible, but not executed should not take away from the fact that Mosso was the first one to bring it to market, and execute. A lot of work had to go on from the Mosso side to enable this. There was work involved with the payment gateways to find the best solution for our customers. Also there was work involved with our system to demonstrate compliance with the merchant perimeter scans, something that no other cloud provider has done, to the best of our knowledge.

We are very pragmatic in our approach, and will use the best of both worlds (Hybrid: Cloud/Dedicated) to bring solutions to our customers that can help them, today.

I hope all this helps. Thanks again, and let us if you have further questions. My email is ghrncir@mosso.com.

Greg Hrncir (ghrncir@mosso.com)
Director of Operations
Mosso | The Rackspace Cloud”

As always Ben, or anyone with more questions can also feel free to reach out to me.

Emil Sayegh,
General Manager
Mosso | The Rackspace Cloud
(esayegh@mosso.com)