Payment Card Industry (PCI) compliance is an absolutely essential cog in the wheel that turns e-commerce. While it’s legal in the U.S. to not comply with PCI standards, failure to do so can result in bank fines, an inability to do business with Card Associations like Visa and MasterCard and — most importantly — put your customers’ personal information at risk.
Ensuring PCI compliance can be daunting, particularly when you are operating in the cloud, but it must be addressed to be trusted in the online marketplace. How exposed is customer data among cloud providers? A 2015 study done by Verizon found that 89 percent of organizations don’t meet all 12 PCI requirements for compliance. That statistic is absolutely stunning. It means that an accomplished hacker can find a way into the systems of nine out of ten e-commerce organizations.
Clearly there are issues with PCI compliance specific to cloud platforms that must be considered before you decide which cloud provider is right for your e-commerce business. Here’s a closer look at a few of the bigger aspects to consider.
Establish Who Is Responsible
One of the toughest concepts to grasp when building or hosting in a cloud environment is deciding who is responsible for PCI compliance and data security. Plenty of cloud-hosting companies advertise themselves as PCI Data Security Standard (DSS) compliant, which is a great start. But, cloud providers only give you a platform for building your website, they aren’t responsible for what you build.
To simplify this issue, imagine your goal is to own a brick-and-mortar pet store. You find an empty space in a commercial center hailed for its on-site security: cameras, security guards — the works. When you rent your space and build your store, does the center’s reputation mean you can leave the doors unlocked and the money in the cash register every night?
Of course not, and if your store is robbed, you can’t expect the property management company to replace your stolen merchandise.
When you are looking for a cloud provider for your e-commerce site, a term you need to know and become familiar with is the responsibility matrix. That’s a fancy way of framing who is responsible for what in the cloud environment.
For instance, the matrix may dictate that the cloud provider is responsible for things like the physical network and data center, while the customer is responsible for the governance of that data and managing who has access to the environment itself. In this case, if a breach occurred at the physical data center, the lack of PCI DSS compliance would fall on the cloud provider, not your company.
Evaluate Compensating Controls
Depending on the type of organization you operate, becoming PCI compliant can be difficult because everything in your organization must get up to speed: your infrastructure, your operating system and your network. These processes aren’t all kept in one nice little box, particularly when you are already operating in a cloud environment. Why? Because cloud environments have a hierarchical internetworking model. In layman’s terms, this means there are three layers of network design: access, distribution and core.
Three layers equals three times the amount of coverage you need to be PCI compliant. In some cases, particularly when using a public cloud, it’s impossible to install the necessary components to be PCI DSS compliant. In these instances, you need to consider the use of compensating controls — workarounds to be put in place when a PCI standard can’t be met. This might sound like plugging a leak, but it’s actually the opposite. To be accepted as an alternative for PCI compliance, the compensating control needs to go above and beyond standard PCI requirements.
Understand Data Vulnerabilities
One of the cloud’s most impressive features is also one of its biggest handicaps when it comes to PCI compliance: accessibility from anywhere in the world. In a traditional pre-cloud setting, data is stored in a physical location, likely within your organization’s own office, available only by logging into your network at that same location through your company’s intranet. Thus, data breaches can only happen internally and are infinitely easier to stop or root out at the source.
Of course, the public cloud doesn’t work that way. It is a series of physical resources housed at the cloud service provider’s (CSP) location or locations that are then remotely accessed by customers. Your company’s data, from customer’s credit card numbers to proprietary information, is stored in the same physical location as that of every other customer using that CSP.
A private cloud is better because the physical location of your data, intranet, platform, etc., are all in known locations. In a public cloud environment, your data can be moved around frequently as part of the CSP’s load-balancing strategy. This might result in storage moving among different cities, different states and even different countries. Every time data is moved, there is risk of a breach.
When you employ a CSP, you need to ask for and obtain written confirmation of the firm’s procedures and security measures for things like data custody, data integrity and electronic discovery. Moreover, any CSP must clarify its data lifecycle management, meaning that your data is:
- Kept only as long as needed
- Utterly destroyed once it is no longer needed
- Housed only in secure, appropriate locations
- Available for access only by those with a clear, business-related need
- Accessed only in complete synchronization with the security policy of the customer’s organization
Find the Perfect Fit
Regardless of whether you’re investing in cloud-hosting services for PCI hosting, an IT service or a caterer for the office Christmas party, communication is your biggest ally. Do your research well in advance of contacting potential CSP vendors to get a firm grasp of your company’s needs.
Ask other firms in your field about how they handle the complications of PCI compliance in the cloud. Compile a list of questions to ask the CSP vendors you choose to shortlist, and then go a step beyond that and pick the brain of each vendor’s representative you contact. Remember the future of your business’s PCI compliance, reputation and customer security are at stake here. Cover all your bases, ask any question you can think of and put the CSP vendors through the ringer to ensure you’re making the best possible decision.
Ultimately, if you’re looking to accept payments, partnering with a PCI Level 1 compliant provider that reduces your PCI scope is the best way to ensure that your business or software application benefits from reduced fraud risk.