For businesses that want to be able to process payment card information, the Payment Card Industry Data Security Standard (PCI DSS) is the standard to follow. It is the only security standard accepted by all of the major credit card companies, and helps to establish a strong baseline of security for payment card transactions.
Cloud computing is a growing industry that provides companies across the world with convenient access to enterprise class infrastructure and resources.
Many companies use cloud computing for their mission-critical business infrastructure—but what do these businesses need to know about PCI compliance and the cloud?
There Are 12 Major Rules for PCI Compliance
There are no less than 12 major rules for PCI compliance that companies need to follow. In brief, these rules are:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied default passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public network
- Use and regularly update antivirus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign unique IDs to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
Each of these rules have specific subsections that provide guidance on how to achieve them. The majority of these rules are directly related to the application and management of specific security measures such as firewall, antivirus, and data encryption.
Not All Cloud Service Providers Offer PCI-Compliant Architecture
Unfortunately, not all cloud providers can or will meet the strict compliance standards of PCI DSS. The standard requires a lot of specific technologies and strict management. Many cloud service providers don’t provide the kind of secure technology and management necessary to meet PCI’s standards with their baseline product.
With some cloud providers, firewalls and intrusion detection/prevention systems are an added-cost product, not a part of the basic service. Clouds lacking these protections will not be able to meet compliance standards.
Even When the Cloud You Use Measures Up, You Still Have to Practice Caution
While many of the rules for compliance are centered on technologies used and their management, there are some aspects of PCI compliance that individual businesses will have to handle.
For example, creating and maintaining policies for addressing information security for all personnel is something that a business will need to handle internally.
Also, restricting access to specific systems/databases is a matter that no cloud service provider can do for a customer; they can provide tools to make restricting access by role easier, but actually assigning roles and managing personnel should always be controlled internally.
So, even when you’re partnered with a cloud service provider that has certified PCI-compliant infrastructure, it will still be up to your business to uphold key aspects of the standard.
Public Clouds Can Be PCI-Compliant
By using strong security at every level, WHOA.com provides PCI-compliant infrastructure on the public cloud. WHOA’s infrastructure uses industry-leading firewall, antivirus, encryption, and managed infrastructure services to keep data safe and reduce your workload needed to maintain compliance.
Discover how you can get a PCI-compliant architecture for your organization now!