The use of cloud computing by companies of all sizes continues to grow. If your organization plans to store, process or transmit payment card information via the cloud, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is of particular concern.
5 key points provided by the PCI Security Standards Council
1. Know where the data is at all times.
To ensure PCI compliance, the company and cloud service provider must prepare an “end-to-end” process flow that clearly shows where the data resides as it transits between the company and the cloud provider.
2. The type of cloud matters.
Depending on whether the cloud is private, public, part of a community or a hybrid, the security-related responsibilities of the cloud provider and cloud customer vary.
3. The type of service also matters.
Typically, cloud computing providers offer the following services:
- Software as a service (SaaS)
- Platform as a service (PaaS)
- Infrastructure as a service (IaaS)
Depending upon the type of service provided, security-related roles and responsibilities may vary significantly.
4. Don’t overlook third-party “nested” solutions.
Cloud computing providers will often embed, or “nest,” a third party’s solution to help deliver their services.
5. There are limitations to PCI compliance.
The guide takes note of the following limitations regarding claims that the cloud service provider may make regarding PCI compliance:
- If a cloud service provider is compliant, this does not mean that their clients are also compliant.
- If a cloud service provider’s clients are compliant, this does not mean that the cloud service provider is also compliant.
- If a cloud service provider and the client are compliant, this does not mean that any other clients comply.
- Communication regarding a breach at the company’s location, or theft of data from the cloud service provider, must take place in a timely manner.
LBMC Information Security reviews compliance efforts can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.