By Kurt Hagerman
Editor's Note: This article is a response to "PCI SSC releases cloud guidelines," a story we posted online Feb. 11, 2013, under Breaking News. It can be found at www.greensheet.com/breakingnews.php?flag=breaking_news&id=1097.
As most of us know, the PCI Security Standards Council (PCI SSC) released a revised set of guidelines on payment card security standards earlier this year, including Payment Card Industry (PCI) Data Security Standard (DSS) guidelines for cloud computing. Intended to help both businesses looking for safe cloud solutions and providers looking to protect customer data, some of the recommendations took providers by surprise - particularly those that recommended e-commerce companies not store, process or transmit payment card data in the cloud.
The three suggestions that stood out included:
For more details, see Section 4.5 of the PCI DSS Cloud Computing Guidelines at www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf.
Of course, the reality is that plenty of businesses and consumers are already operating in the cloud - and they show no signs of turning their backs on the flexibility, scalability and cost benefit it offers. From mobile banking to Internet shopping, commerce as we know it seems inseparable from the cloud. So is the cloud an inherently unsafe place for customer payment data? Or are the new PCI SSC guidelines off base?
The truth is somewhere in between. With the right skills and technologies, the cloud can indeed be engineered to keep data secure. Security challenges exist, yes, but merchants can overcome them by working with a cloud service provider (CSP) who knows how to optimize security and deliver a service model that fits their risk and security profile.
Let's start with PCI's most useful guidelines. Most businesses operating in the e-commerce space can agree that caution and responsibility are always appropriate when it comes to guarding payment data. The following recommendations are smart standards that all merchants and providers should consider.
Now let's move on to a few points where the PCI SSC guidelines missed the mark. While all of the security measures proffered by the council are practical and well-founded, the fact is that some providers have already created solutions aimed at protecting payment data and addressing those concerns. These include:
The PCI SSC is understandably cautious when it comes to payment card security standards - and that's a good thing. Meeting compliance goals is always a smart move when it comes to protecting customer data. Yet by partnering the convenience of cloud commerce with the security of smart technologies and responsible services, some providers have already addressed some of these challenges.
The cloud computing guidelines represent a road map toward a future of improved security. But to capitalize on the full power of the cloud, it's essential to acknowledge the existing solutions that offer merchants both protection and profit in one package.
As Director of Information Security at FireHost Inc., Kurt Hagerman oversees all compliance-related and security initiatives. He is responsible for helping FireHost attain ISO, PCI, HIPAA and other certifications, which allows FireHost customers to more easily achieve the necessary compliances for their own businesses. His position further includes merging information security and compliance into one organization, and enacting a strong security program in which levels of compliance are by-products. Hagerman, who has extensive engineering and systems management experience, can be reached at email@example.com.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next