Tag Archives: Governance

PCI compliance in cloud services


June 13, 2012

With all the hype surrounding the delivery of services through cloud providers, it is little wonder that some enterprises may be wary of stepping into the new realm of business opportunities unprepared.

In essence, external providers are taking the information and operations outside of the physical premises controlled by the firm in question – leading to questions about how safe and secure the systems really are.

This is especially true for businesses that are aware of their obligations with regard to potentially sensitive information collected from clients and stakeholders.

Because these details are given to the enterprise with the understanding that they will be kept safe from misappropriation or theft, security is often a prime concern for the staff members in charge of information storage.

When it comes to the payment card industry (PCI), there are strict guidelines that govern how client information is to be processed and archived.

With new technologies such as cloud storage, the same requirements would apply to these solutions as with in-house systems – requiring the assistance of qualified PCI compliance testers.

These experienced professionals will be able to ascertain if an external provider is suited to the task of storing or processing sensitive card payment information – as well as providing additional advice on how to improve existing frameworks.

Dr David Ross delivered a presentation to the attendants of AusCERT 2012 convention, stating that while extra care was needed, it could be possible to make use of these systems while maintaining PCI compliance.

According to an article published by ZDNet on May 17, Dr Ross said that while cloud providers can offer compliant products and services, the onus still lies with the primary company.

Some of the products mentioned by the presenter were known to also provide in-depth guides that help clients to deliver services that are in line with the data security standards laid out by the payment card industry, but he was quick to warn that this still did not automatically make the solutions certifiably compliant.

While the shared nature of some cloud services makes it difficult to get a clear picture of just what information is visible to third parties, a team of qualified assessors can provide managers with an in-depth review of the pros and cons of a particular service.

This allows decision makers to make informed choices based on the particular details provided by a neutral third party – removing issues of bias and proprietary control issues from the equation.