Member Article

Turning to the cloud for PCI DSS compliance

Cloud adoption has changed the business landscape, causing a massive shift in how organisations operate. Depending on your source (and there are plenty to choose from!) UK cloud adoption rates are currently anywhere between 78 per cent and 84 per cent.

Advanced economies around the world are increasingly worried about data theft, ranking it among the largest global concern for doing business, according to the World Economic Forum’s annual report on global risk. To help tackle this concern, one area of business that can significantly benefit from the switch to a cloud-based approach is that of compliance.

Businesses that take payments either online or over the phone are obligated by law to comply with the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS). However, budgetary constraints, the rapid pace of technology evolution and a lack of internal resources are some of the most commonly listed reasons that mean many organisations struggle to maintain a fully-compliant PCI security solution in-house. However, in most instances, issues can be traced back to a bigger problem; the size of their Cardholder Data Environment (CDE) that needs protecting.

PCI DSS compliance applies to an organisation’s entire CDE, which can be loosely broken down into four areas – data capture, data processing, data transmission and data storage. Associated with this are all the IT components such as the network (firewalls, routers etc), all point of sale systems, servers, internal and external applications and third party IT systems. Each of these elements contributes to the scope of the CDE. And the larger the scope, the more difficult and potentially expensive compliance becomes

How the cloud can reduce CDE scope

The key for many businesses is to try and reduce the size of their CDE scope. This can be difficult, particularly if the business has chosen to maintain a fully on-premises approach. This is why the cloud is becoming a far more attractive option, as there are numerous cost effective ways in which compliance can be achieved. By outsourcing key aspects of a cardholder data environment to a third party Cloud Service Provider (CSP) the PCI compliance responsibility is passed on to them.

A great example of this is the implementation of a cloud based secure telephone payment solution. If an organisation uses a traditional call centre to take and process telephone payments manually, every aspect of that call centre is in scope for PCI DSS, from the telephone agents themselves through to the computers, network and payment systems used. However, if the organisation switches to a cloud-based payment system, all of these elements are taken out of the PCI DSS equation immediately. This is because at the point where a payment is required, customers are routed through to a secure, cloud-hosted platform where they enter their sensitive information via their telephone keypad. The call centre agents themselves no longer play any part in the collection or processing of the customer’s sensitive data and it never enters the call centre environment. As a result, all of those elements are removed from the scope of the CDE and responsibility for PCI compliance passes to the provider of the cloud payment platform.

For those who need to comply with PCI DSS obligations, the power, security and flexibility offered by many cloud solutions are impossible to ignore. Perhaps we will see a shift to the cloud for compliance purposes, because in a relatively short period of time, cloud-based solutions have gone from a ‘nice to have’ business luxury, to an integral part of any successful operation.

This was posted in Bdaily's Members' News section by Matthew Bryars .