GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

Untangling the legal side of acquiring


Industry Update

NACHA seeks input on QR codes

It's anonymous mobile payments for Amazon

Accord reached on EMV liability shift

Breach exposes 2.4 million cards

Selling Prepaid

Prepaid in brief

The promise of prepaid MDC

New approach urged for cross-border enforcement


The new PCI SSC guidelines: Separating the cloud from the fog

Kurt Hagerman
FireHost Inc.

Get ready for the mobile revolution

Michael Gavin
Merchant Warehouse


Street SmartsSM:
Think like an aggregator

Dale S. Laszig
Castles Technology Co. Ltd.

Impact of EMV and NFC on acquiring

Jim Bibles
Aperia Solutions

Training customized for you

Bill Pirtle
C3ET Credit Card Consortia for Education & Training Inc.

Company Profile



Meet The Expert: Ross Federgreen

New Products

Versatile storefront, mobile merchant app

AprivaPay Plus
Apriva LLC


Conform, with style


Readers Speak

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

May 13, 2013  •  Issue 13:05:01

previous next

The new PCI SSC guidelines: Separating the cloud from the fog

By Kurt Hagerman

Editor's Note: This article is a response to "PCI SSC releases cloud guidelines," a story we posted online Feb. 11, 2013, under Breaking News. It can be found at

As most of us know, the PCI Security Standards Council (PCI SSC) released a revised set of guidelines on payment card security standards earlier this year, including Payment Card Industry (PCI) Data Security Standard (DSS) guidelines for cloud computing. Intended to help both businesses looking for safe cloud solutions and providers looking to protect customer data, some of the recommendations took providers by surprise - particularly those that recommended e-commerce companies not store, process or transmit payment card data in the cloud.

The three suggestions that stood out included:

  1. Separating payment card data from the cloud (thereby eliminating the need for PCI DSS controls)
  2. Implementing a dedicated physical infrastructure used only for the in-scope cloud environment
  3. Minimizing reliance on third-party providers for protecting payment card data

For more details, see Section 4.5 of the PCI DSS Cloud Computing Guidelines at

Of course, the reality is that plenty of businesses and consumers are already operating in the cloud - and they show no signs of turning their backs on the flexibility, scalability and cost benefit it offers. From mobile banking to Internet shopping, commerce as we know it seems inseparable from the cloud. So is the cloud an inherently unsafe place for customer payment data? Or are the new PCI SSC guidelines off base?

Security standards for cloud challenges

The truth is somewhere in between. With the right skills and technologies, the cloud can indeed be engineered to keep data secure. Security challenges exist, yes, but merchants can overcome them by working with a cloud service provider (CSP) who knows how to optimize security and deliver a service model that fits their risk and security profile.

Let's start with PCI's most useful guidelines. Most businesses operating in the e-commerce space can agree that caution and responsibility are always appropriate when it comes to guarding payment data. The following recommendations are smart standards that all merchants and providers should consider.

Smart solutions for a secure environment

Now let's move on to a few points where the PCI SSC guidelines missed the mark. While all of the security measures proffered by the council are practical and well-founded, the fact is that some providers have already created solutions aimed at protecting payment data and addressing those concerns. These include:

A way to build on existing strengths

The PCI SSC is understandably cautious when it comes to payment card security standards - and that's a good thing. Meeting compliance goals is always a smart move when it comes to protecting customer data. Yet by partnering the convenience of cloud commerce with the security of smart technologies and responsible services, some providers have already addressed some of these challenges.

The cloud computing guidelines represent a road map toward a future of improved security. But to capitalize on the full power of the cloud, it's essential to acknowledge the existing solutions that offer merchants both protection and profit in one package.

As Director of Information Security at FireHost Inc., Kurt Hagerman oversees all compliance-related and security initiatives. He is responsible for helping FireHost attain ISO, PCI, HIPAA and other certifications, which allows FireHost customers to more easily achieve the necessary compliances for their own businesses. His position further includes merging information security and compliance into one organization, and enacting a strong security program in which levels of compliance are by-products. Hagerman, who has extensive engineering and systems management experience, can be reached at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios