PCI Compliance is Possible in the Cloud


For companies required to be PCI compliant, the idea of making a move to the cloud has been daunting. While cloud computing adoption among businesses continues to increase dramatically every year, complex PCI compliance standards have often made it difficult to know if a business could store sensitive credit card information in the cloud—and if they could, how to do so and remain compliant. Now, many questions have been answered.

Just last month, the PCI Council published its PCI DSS Cloud Computing Guidelines. This new guidebook clarifies what approaches compliance-minded businesses can and should take when implementing the cloud and expectations businesses should demand from their Cloud Service Providers (CSPs). Cloud computing service modelIn essence, the guidelines encourage businesses to be proactive in their research into the different cloud service systems—Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS)—in order to determine how to effectively and safely store consumer credit card data in the cloud. 

Depending on the type of business (physician’s office vs. pizza shop), lines of accountability and responsibility will differ as will the cloud system deployment strategy. For example, for a high-touch, higher-risk vertical in which consumer credit card data is most vulnerable, an IaaS system would offer the most control over operating systems, whereas an SaaS strategy would offer fewer data checkpoints. In the case of SaaS, ongoing diligence on behalf of the business becomes increasingly critical.

According to a Network World review of the new PCI compliance guidelines, many merchants and CSPs believe that once a system is installed, the job is done. In reality, merchants should constantly engage their CSPs to ensure adequate protection of credit card data stored in the cloud. The Council stresses the importance of establishing clear lines of communication between merchants and service providers so they understand individual data security responsibilities. The merchant must make sure the service provider is implementing the correct security controls and the service provider must accommodate.

If your business is required to maintain PCI compliance, and you are also interested in leveraging the benefits of the cloud, Windstream has extensive experience navigating the more than 200 required components of the PCI compliance standards—and can work with you to deploy a secure, compliant cloud computing solution.

Visit windstreambusiness.com to learn more about Windstream’s cloud computing and managed services and PCI compliance.