seansquared - 3:17 pm on Aug 20, 2010 (gmt 0)

GaryBradshaw,

You aren't in the business of handling credit card data, so why are you doing it in the first place? That's just a rhetorical question, food for thought, you aren't a payment processor so stop processing payments! :)

The tried and true solution to this problem is to [b]offload your payment solution[/b]. Storage, transmission, and processing should all be moved off to a 3rd party payment gateway handler. This will greatly reduce your PCI-DSS footprint. There are tons of vendors out there that do this, but Braintree [url]http://www.braintreepaymentsolutions.com/services/pci-compliance[/url] is one of the best and is used by some big names on the web such as 37signals, admob, and Brightcove. I would strongly consider checking them out. I don't work for them, I just like what they offer.

Offloading your CC transactions is a given, so I really can't offer any further advice on the PCI end. Where I am concerned though is that you were quoted $7k on ANYTHING from Rackspace. If you're grossing less than $10k/mo in sales I can only assume that, unless you're doing microtransactions in great enough volume to require 48GHz of processing power on the SQL end, you don't need anything from Rackspace's Performance Series of dedicated servers.

With that in mind, maybe it's time to change up your infrastructure, or at least review it. I'll present both here:

Your first option is Cloud services. I know "Cloud" is the big gorilla term in the room but hear me out. With cloud offerings (from Rackspace, Joyent, Terramark, and others) you pay for resources as your eCommerce platform scales and you pay and at the end of month instead of up-front. Big difference from paying for dedicated environments that go largely unused - resource usage plummets at off-peak hours but you're still paying full price monthly which is such a waste.

The other option is reviewing your infrastructure. If Rackspace is quoting you $7-10k I assume that's for a bunch of Performance Series gear and it's probably completely overkill. Take some time to determine the actual resource requirements of your environment and scale [b]down[/b] appropriately. I don't know your resource requirements, so I won't assume much, but SQL (as well as MySQL, Oracle 10g, and other performance-minded database platforms) can crank out hundreds of thousands of transactions a day on only a couple of cores and a few gigs of RAM. Determine the [b]real[/b] resource needs of your eCommerce environment and scale back on the overhead appropriately.

Whatever you do, use the cost savings to pay for Braintree or another payment gateway handler. Get the darn CC data OFF your eCommerce platform and minimize your PCI footprint to near-zero. Seriously, you'll go from a 250-question SAQ to a 10-question one [i]as long as you aren't touching CC data[/i].

Best of luck,
Sean