PCI compliance and the public cloud

PCI compliance and the public cloud


Monday, December 05, 2011 | Dan Blacharski

Public perception of how safe credit card and identity information is when placing an order over the Internet has swung from outright suspicion and fear, to acceptance. Internet transactions are at an all-time high especially during the holiday season, and the relatively new phenomenon of "Cyber Monday” has catapulted Internet commerce to the point where merchants now depend heavily on their online volume to meet their numbers. But with high profile attacks against credit card issuers and merchants, the public’s trust that identities are safe has diminished.
 
Add to that, a shaky public perception of the security of the cloud, and you have a significant backlash against Internet commerce. In reality, the cloud can be a highly secure platform, and in many cases more secure than an internal data centre alternative. The key however, lies in the choice of cloud, and in PCI compliance. The Payment Card Industry Security Standard (PCI DSS) is a set of 12 requirements to protect customer payment data. While it is not mandated by law in the UK, it is nonetheless an internationally recognised standard created by major credit card issuers - and whether mandated or not, represents best practices that help to ensure the safety of customer data. A common question merchants ask when complying with PCI however, is whether they can continue to use the cloud. The answer is a qualified "yes.”

[ Want to learn more about PCI Compliance? Read 'An Introduction to becoming PCI DSS Compliant' White Paper, PDF ]

In a high transaction environment, some security experts do recommend maintaining a cloud platform for day-to-day operations, but using a separate secure server for transactions. But maintaining separate facilities may be costly, and may well eliminate the reason for moving to the cloud in the first place. The lure of the cloud is strong though, with advantages including reduced maintenance requirements, and lower capital expenditures. PCI DSS itself does not preclude use of the cloud. The issue then becomes, whether the cloud provider itself is PCI compliant. Although they are increasingly vigilant on the issue of security, not all cloud providers are compliant with this set of best practices.
 
A cloud centre can become PCI compliant just as easily as any other data centre. PCI includes a set of 12 requirements, which include common sense precautions such as firewalling, encryption, regular updates of security software, physical restrictions, tracking and testing.
 
The case for the cloud may be strong, particularly in the CFO’s office, but before making the move a company is well advised to exercise due diligence against the cloud provider. The fact is, using a cloud provider that is PCI compliant will make the client PCI compliant as well, and so this is the first step an Internet merchant must take when moving to the cloud. How well established, and how cheap the cloud provider may be is the least of a merchant’s concerns when making this decision. Rather, the focus must be on transparency, and verification of PCI compliance by an independent source. And lastly, the decision itself must not be taken lightly. Moving a large, transaction-based environment to the cloud is not a simple task, and once it has been done, moving back to an on premise data centre will prove to be a very costly reversal.
  • Print
  • Send to a friend