Cloud // Cloud Storage
Commentary
5/17/2013
01:20 PM
50%
50%

Do Your Due Diligence With The Cloud And PCI

Don't hand over compliance responsibilities when you sign on with a cloud provider.

InformationWeek - May 2013 Supplemental Issue InformationWeek Green
Download the entire May 2013 supplemental issue of InformationWeek on Mobile Commerce, distributed in an all-digital format (registration required).

Using cloud services is an increasingly popular business decision; in many cases, a cloud provider can deploy technology in a fraction of the time -- and for a fraction of the cost -- required for a company to set up the same tech internally. This disparity may be due to a lack of in-house expertise, the up-front costs to purchase and deploy the technology or a combination of factors.

However, one thing a cloud provider can't do is relieve you of the responsibility for Payment Card Industry Data Security Standards compliance. While that may seem obvious, I still have merchants ask if outsourcing their cardholder data environments means they don't have to worry about PCI compliance. Unless the service provider has a current report on compliance (ROC) that covers all applicable requirements, the answer is always an emphatic "No!"

The InformationWeek Mobile Commerce Survey asked 895 respondents involved or familiar with their companies' strategies about 13 inhibitors to jumping into mobile commerce. The No. 1 answer: compliance concerns. Part of the problem is that, among nearly 300 of those IT respondents with strategies and timelines for adoption, just 35% say they're very or extremely familiar with PCI Data Security Standards for credit card processing.

The Lowdown

Any company on the hook for PCI DSS must review, and if needed, audit, their providers' compliance at least annually. The key is to know how the use of a given cloud service will impact your PCI compliance validation efforts and plan accordingly.

And remember, you must maintain PCI DSS compliance at all times -- not just in time for your Qualified Security Assessor's next visit.

Organizations that take their PCI responsibilities seriously will find that using a cloud provider and staying compliant, while not an insurmountable task, can be a major project. Let's walk through a real-world example. The infosec department for one of our clients found out after the fact that the company had contracted with a cloud services provider to fully manage a second data center. The cloud provider was to supply a variety of managed and professional services, including virtual networks, firewalls and servers (IaaS); database (PaaS); IDS/IPS and file integrity monitoring (SaaS); and security monitoring and incident response (professional services).

To read the rest of the article,
download the May 2013 supplemental issue of InformationWeek

Mobile Commerce World
Mobile Commerce World is the event for retail and enterprise executives charged with developing their organizations' mobile commerce strategies. On June 24 - 26, 2013, the industry's top innovators will convene in San Francisco to explore the latest technologies and trends shaping the marketplace. Attendees will hear from 110 world-class experts from companies such as Google, Wal-Mart, Facebook, GroupOn, PayPal, 1-800-FLOWERS, StubHub, Zappos and MasterCard in 50+ sessions and leave with the necessary tools to drive top-line goals. Register with code WEMCW13118 to save $200 or for a free expo pass.

Comment  | 
Print  | 
More Insights
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.