By making it easier to implement Payment Card Industry (PCI)-compliant APIs, Apigee and other companies are likely to accelerate the items that may be purchased online and through mobile devices. Major companies, such as Apple and Netflix, are already skilled implementers of PCI-compliant APIs. Apigee's offering of Enterprise Cloud PCI will extend the expertise to smaller companies and thousands of third-party developers seeking to connect consumers to enterprise goods and services.
The Payment Card Industry Data Security Standard (PCI-DSS) requires that all parts of the transaction be re-creatable and auditable. This is possible today with enterprise systems that are hosting a manageable number of transactions per second, and each transaction gets logged into a host server. But when the API has opened the door to thousands of new customers a day, outside help is needed to handle the traffic. As API management, moves offsite, say into Apigee data centers, the ability of the enterprise to track and audit all phases of a transaction may disappear.
Apigee is one of those offsite managers (it has an on-premises appliance as well) and Sam Ramji, VP of strategy at the firm, says its servers can handle 100,000 concurrent API connections a second for many different companies. What's more, it can now handle them in a PCI-compliant fashion. "If you want to transact, you need PCI for the API," he said in an interview.
Apigee is a young, Santa Clara, Calif., company built on the premise that API management is going to be crucial to the future of major companies. There are several such companies, including Mashery in San Francisco and Layer 7 in Vancouver, British Columbia. Apigee is the first to say it will manage APIs in a way that is compliant with the PCI standard; Layer 7 chimed in the same day to say its latest version has PCI-compliant features as well. Mashery, which manages APIs for 25,000 existing applications, including the New York Times, didn't weigh on the PCI debate immediately.
How APIs can have different degrees of security and compliance is evident in a white paper on the Apigee site that describes how a Google Maps API differs from a Twitter API. The Google Maps API is a highly public API. Google can determine what application is accessing Google Maps services by reading an API key assigned to the application, which tells Google which applications are big users of the services and not much else. A Twitter API is more restrictive. It not only reads which application is accessing it but uses an authentication protocol to ensure that only the password holder is issuing tweets under a given Twitter name. A PCI-compliant API goes many steps beyond these simple measures to impose encrypted exchanges and mask the identity of the credit card holder during the transaction itself. Even if the details of a transaction are captured by an intruder, it can't be tied to particular cardholder in a PCI-compliant setting.
"Due to the high cost and other challenges associated with building and supporting scalable, secure PCI-compliant APIs, the vast majority of APIs offered today are for catalog-type applications that enable viewing data, but not transacting with it," said Apigee CEO Chet Kapoor in the Enterprise Cloud PCI announcement Wednesday.
Enterprise Cloud PCI helps a firm build and deploy a transaction API in less time than it would take if it didn't have an Apigee host and management system to deploy it to. Once up and running, the service ensures that it continues to operate in compliance. Apigee takes responsibility for load-balancing the API code so that it is available on demand, and if necessary, throttling back overzealous, poorly coded applications that make excessive demand on its availability.
With a PCI-compliant API system available, third-party developers will it find simpler to build transaction systems and, even as buying options proliferate, "it will make for a safer market," Ramji claimed.
All the API firms help companies design and implement APIs. Apigee offers free tools and a limited amount of service without charge. But a public API that unlocks a popular company service attracts application developers. The proliferation of devices means the API supplier must try to keep up with device manufacturers and constantly revise the API. Companies launching many APIs end up with a management problem as particular versions of the API get tied to particular devices.
Some companies that have made a set of APIs public have "experienced catastrophic success," where their backend application servers "fell over" because they couldn't cope with the thousands of API calls, Ramji said. Part of the role of an API manager is to scale the API to meet demand, while tracking who's using it and throttling back an application developer whose code has a tendency to overuse the API.
Security concerns give many companies pause as they consider migrating portions of their IT operations to cloud-based services. But you can stay safe in the cloud, as this Tech Center report explains. Download it now. (Free registration required.)