As convenient as it can be to use cloud computing as part of a business’s credit card processing procedures, this new frontier also poses some risks to the security of card data, especially when it comes to outsourcing. The PCI Council recently spoke to those risks and offered some advice for maintaining PCI compliance in the cloud.
Bob Russo, general manager of the PCI Security Standards Council, told BankInfoSecurity that one of the most important things to remember when handling credit card data is to always know where the information is being stored, even when a third party has been given access to certain information. PCI compliance is the responsibility of the company that initially collects the data.
Wired Magazine shared Russo’s feelings that businesses must be especially careful in the cloud, stressing the fact that cloud platforms cannot be certified as PCI compliant, and that it is important to make sure that those operating the servers are adhering to best practices.
Russo also said that companies should thoroughly review contracts with service providers in an effort to understand different entities’ roles within the payment chain and stay vigilant in preventing data from being stored in multiple locations, which places it at a greater risk of compromise.
The PCI DSS Cloud Computing Guidelines Information Supplement is available on the PCI Council’s website.Back To Blog