[fefe23]

You had me at "cloud providers". If you store the data on some cloud provider, then you are just as bad as what your prospective customers are doing.

I don't want any of my sensitive data stored on "some cloud provider".

Also, your security strategy apparently boils down to "we'll be REAL CAREFUL, pinky swear!"

That strategy does not work, and has never worked before. The whole reason why you think your product is needed is because your prospective customers do it just like that.

I'm stunned you found investors with this proposition.

[drexlspivey]

> Also, your security strategy apparently boils down to "we'll be REAL CAREFUL, pinky swear!"

Case in point: T Mobile Austria. https://nordvpn.com/blog/t-mobile-passwords-hacked-twitter/

[wepple]

I’m curious, what’s wrong with storing this type of data in a cloud provider?

Also, security aside wouldn’t a16z have invested because the business isn’t “do it more securely”, but “outsource PCI compliance entirely”?

[raesene9]

If by outsourcing PCI compliance entirely, they mean "ensure you don't store cardholder data by tokenizing it and we store the real stuff" this is very much not a new solution, so I'd struggle a bit to see the value of a new entrant.

There's already quite a few payment gateways where an e-commerce site can iFrame the payment page (or similar) to ensure that they never see the real cardholder data.

(the fact that this shouldn't really make them out-of-scope for PCI is a different problem)

[twelve40]

This is not a payments gateway. We use them for something entirely different than processing payments or credit cards. I haven't seen a general PCI-compliant transparent PII tokenizer proxy service like that. If you know of one, let me know, maybe we'll even switch. But this is not a payment gateway solution, and it's offering many more use cases than an iframe or credit cards.

[nodesocket]

I can think of a few:

  1.) Shared resources, and exploits like meltdown and spectre 
  2.) Cloud provider employees potentially have access
  3.) Cloud providers are subject to law enforcement requests

However, there are benefits. Typically Google Cloud for example is going to have much better systems and security that a home-rolled data center setup. They've been working on it for years and essentially have unlimited resources (time and capital).