One of the major concerns for the payment card industry (PCI) is ensuring the security of every transaction. However, there has been a recent debate over the use of cloud systems and how they should be incorporated into PCI compliance.
Since 2004, the PCI Security Standards Council (PCI SSC) has maintained proprietary information for a data security standard (DSS) for handling all forms of payment card data. But the question of whether and how PCI DSS covers the cloud deployments has remained undecided and quality security assessors (QSAs) - who are trained in PCI auditing and consulting - disagree.
A recent CIO article interviewed Chris Brenton, a PCI Cloud Special Interest Group contributor. He mentioned that previously, cloud PCI DSS was open to interpretation and QSAs debated whether being PCI compliant in the cloud is even possible.
It was announced this week, however, that the PCI SSC has released a cloud computing guideline detailing what is required to ensure customer information is protected.
"The original PCI DSS was written for a physical network, and some things really didn't apply to the cloud," Brenton says. "This new guidance has really gone through that and clarified things. It does a much better job. Now you can get two QSAs in a room and they'll actually agree on what they're saying."
The guideline hits on cloud overview, provider/customer relationships, DSS considerations and DSS challenges. It should be used by merchants and cloud solution providers to ensure they are creating the safest experience for their customers.
With the growing use of cloud-based POS systems and mobile checkout solutions, having a guideline for PCI cloud security is a crucial step to helping the system expand.