[storborg]

You seem to assert that almost every startup that accepts credit cards is not PCI compliant, and further, operates on an environment which at times in the past has been known to be moderately insecure (e.g. hypervisor attacks). That's a pretty bold claim. Do you have any evidence to back it up? (e.g. name companies which are knowingly operating without PCI compliance when they're required to have it)

[sachinag]

I'm saying every startup that hosts their checkout pages in the cloud is - by definition - in violation. If you know a startup that accepts credit cards and doesn't have the secure server that accepts the credit card input on a rack somewhere - whether in their office, in their apartment, in a colo, or whatever - then that startup is, by definition, not PCI compliant.

There is a simple and easy way to get into compliance without moving your host - use hosted payment pages. PayPal, Recurly, Braintree, and the other top-tier providers all have hosted payment pages.

Every startup I have been employed by or consulted for w/r/t payments either has a physical box or uses hosted payment pages.

[storborg]

Right, so do you know of any that are in violation?

I know of a bunch of startups that use a hosted page (e.g. Paypal, Google Checkout, authorize.net SIM, whatever), and a bunch of startups that host their main site in the cloud but have a physical server for accepting CCs, but I don't know of any that accept CCs directly on a VM. I'd be pretty surprised to hear about it.