Companies have been increasing their investments in cloud computing over the past year, but how many have truly been careful when it comes to safeguarding customer information? The PCI Council rolled out some new guidelines on cloud security when dealing with payments and said working with introspection may be the big issue that companies will have to worry about.
According to retail technology experts at Storefront Backtalk, the new guidelines are not prescriptive mandates so much as they are recommended resolutions. Council members acknowledge that, while retailers may have limited control over some parts of the cloud operating model, they should be striving to make sure everything is in its right place.
"If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the [cloud service provider's] infrastructure and the client's usage of that environment," the guidelines said. "The allocation of responsibility between client and provider for managing security controls does not exempt a client from the responsibly of ensuring that their cardholder data is properly secured according to applicable PCI DSS requirements."
This means that companies will have to make sure their service level agreement is in place with all security and protection aspects they need. Storefront Backtalk said companies have the responsibility to protect the data, but they may not necessarily have the controls within every cloud, so it is up to each individual company to make sure they are being accountable for the cloud used to hold payment data.
Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage, said in a press release from the PCI Council that the cloud's biggest strength is the model of shared responsibility, but this can also make things difficult for companies who may not be completely sure how to protect information. For this reason, the guidelines issued by the council achieve a lot, as he said they clearly define what businesses are responsible for as far as information in the cloud is concerned.
Bob Russo, general manager, PCI Security Standards Council, also revisited the notion of shared responsibility that is so frequently discussed among his colleagues. Considering cloud computing models are inherently built on this principle, division of duties and agreement on data protection expectations are particularly important between service subscribers and providers.
"It's great to see this guidance come to fruition, and we're excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner," he said in the PCI Council release.
Cloud Security News from SimplySecurity.com by Trend Micro.