make a good business better

Blog Information Security

Print Divider Print Divider Branding
 

Five Steps for Maintaining PCI Compliance in the Cloud

02/15/2017  |  By: Mark Burnette, CPA, CISSP, CISM, CISA, CRISC, CGEIT, ITIL, QSA, Shareholder, Practice Leader of Risk Services

Share

Social Logo Social Logo Social Logo Social Logo

The use of cloud computing by companies of all sizes continues to grow. If your organization plans to store, process or transmit payment card information via the cloud, compliance with the Payment Card Industry Data Security Standard (PCI DSS) is of particular concern.

Here are five key points provided by the PCI Security Standards Council that help with this transition.

1. Know where the data is at all times. To ensure PCI compliance, the company and cloud service provider must prepare an "end-to-end" process flow that clearly shows where the data resides as it transits between the company and the cloud provider.

2. The type of cloud matters. Depending on whether the cloud is private, public, part of a community or a hybrid, the security related responsibilities of the cloud provider and cloud customer vary.

3. The type of service also matters. Typically, cloud computing providers offer the following services:

  • Software as a service (SaaS)
  • Platform as a service (PaaS)
  • Infrastructure as a service (IaaS)

Depending upon the type of service provided, security related roles and responsibilities may vary significantly.

4. Don't overlook third-party "nested" solutions. Cloud computing providers will often embed, or "nest," a third party's solution to help deliver their services.

5. There are limitations to PCI compliance. The guide takes note of the following limitations regarding claims that the cloud service provider may make regarding PCI compliance:

  • If a cloud service provider is compliant, this does not mean that their clients are also compliant.
  • If a cloud service provider's clients are compliant, this does not mean that the cloud service provider is also compliant.
  • If a cloud service provider and the client are compliant, this does not mean that any other clients comply.
  • Communication regarding a breach at the company's location, or theft of data from the cloud service provider, must take place in a timely manner.

LBMC Information Security reviews compliance efforts, can test to assure compliance and can help your team develop an action plan to remediate compliance. If you have questions, please contact us. Learn more about our PCI Compliance services.

Download LBMC's PCI Compliance Guide

Download our guide, PCI Compliance Guidelines Explained, for more ways to stay up to date with PCI compliance for your firm.

Download the PCI Guide

Get a Quote on PCI Services

Ready to move ahead with your PCI project? Answer 9 questions and get a quote for your PCI compliance needs.

Posted in: PCI Compliance