Storing and Transferring Data in the Cloud (Securely): Myth or Reality?March 25, 2014 By Steve Hess
The road to PCI compliance with secure payment card data in the cloud can seem long and daunting, but the good news is that it's possible. It's not to be taken lightly or done without significant planning, however. I've identified four actions that are critical to make this a reality for retailers in today's data-centric, threat-driven world. Remember, every business should look at their own needs and balance them against security and compliance requirements, so this should be considered a starting point.
1. Understand the difference between PCI compliance and certification. It may sound obvious, but this is one of the biggest — and most important — things businesses must understand in order to protect themselves and their customers:
- PCI compliance is a self-assessment that can be reviewed and confirmed by an audit. This status is claimed by almost every financial services company. Even some companies not in the industry use this as a benchmark.
- PCI certification is the time- and resource-intensive third-party assessment that must be reviewed and confirmed by an audit. Traditionally, this was only relevant for level-one service providers (i.e., the big-time players).
While annual PCI certification is a top priority for many companies (taking up valuable time and resources), it's important that an IT team remain vigilant in PCI compliance throughout the year.
2. Get the business involved. Compliance isn't just a technology problem (even though some think it is); the reality is that compliance is comprehensive across the business. For example, it's necessary to educate and train staff across departments and write policy documents. When it comes time to achieve and demonstrate compliance, evidence of these things will be a requirement. Without rigorous processes in place, doing so is nearly impossible.