Cloud Storage No Silver Bullet For PCI Compliance - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
01:10 PM

Cloud Storage No Silver Bullet For PCI Compliance

Compliance with credit card data security rules is a tricky business. Don't count on cloud storage solutions to make it any easier.

Compliance with credit card data security rules is a tricky business. Don't count on cloud storage solutions to make it any easier.I won't spend any time here talking about the finer points of complying with Payment Card Industry (PCI) compliance rules if your small business handles sensitive customer payment data. If your business falls into that category and you aren't already acquainted with PCI, stop reading this and get up to speed -- fast.

What I do want to discuss is a related question: Are cloud-based services, especially data storage services, PCI compliant?

That's a complex question, but it's pretty easy to cut it down to size. Here's the bottom line: Unless you're told otherwise, in writing, assume that the answer is no.

Some cloud service providers are completely up-front about the difficulty of ensuring PCI compliance in general-use environments. Consider this excerpt from a 2009 blog post discussing Amazon's EC2 solution:

"From a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant," an Amazon representative told a customer in an exchange that was posted on an AWS web forum. A key issue is that PCI auditors are unable to inspect Amazons data centers.

In other cases, however, cloud providers may attempt to finesse the issue in order to keep potential customers engaged. Case in point: This tale involving a provider that boasted of being "the very first cloud hosting solution to enable an Internet merchant to pass PCI compliance scans."

Dig a little deeper, however, and it turned out that the provider ensured "compliance" by having the customer redirect its credit card processing functionality to a third party card processing provider!

Don't Miss: NEW! Storage How-To Center

Given the popularity of cloud-based storage service providers, especially in terms of backup and disaster recovery tasks, it's easy for a small business to go astray here. But PCI compliance is now a deadly serious business; a single misstep could cost your company its ability to accept credit cards.

For may small and midsized firms, that's tantamount to a death sentence. Tread carefully here. If a cloud provider cannot deliver, in crystal-clear terms, PCI compliance assurances, don't think twice about walking away. Ultimately, the penalties for non-compliance will fall on your shoulders, not the provider's.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Augmented Analytics Drives Next Wave of AI, Machine Learning, BI
Jessica Davis, Senior Editor, Enterprise Apps,  3/19/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Flash Poll