When it comes to protecting credit card information in the cloud, don’t look to your service provider as the sole entity responsible for data security, you need to take steps to protect credit card numbers as well. This is all according to the PCI Security Standards Council (PCI SSC), which recently published the PCI DSS Cloud Computing Guidelines Information Supplement [https://www.pcisecuritystandards.org/security_standards/documents]from it’s Cloud Special Interest Group (SIG).
As the PCI guidelines are intended as a resource for businesses choosing solutions and third-party cloud providers when it comes to securing their customer payment data, the recommendations incorporated into the Council’s 52-page guidance are nothing to scoff at. And one of the most important points of the guidance is that every institution in the credit card processing pipeline, including banks, service providers, credit card companies, merchants, you name it, who is using the cloud has a shared responsibility to protect consumer data.
“One of cloud computing’s biggest strengths is its shared-responsibility model. However, this shared model can magnify the difficulties of architecting a secure computing environment,” said Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage. But before now, it was perhaps easier to point the finger at a service provider when a breach occurred and credit card information was lost. And while most cloud service providers do try and provide a comprehensive level of security, the PCI guidance makes it clear that companies, especially merchants, must take extra steps to protect that data.
Of course, one of the primary methods of protecting credit card information on the cloud is encryption of card holder data. The PCI Council report states “ensuring that clear-text account data is never accessible in the cloud may also assist to reduce the number of PCI DSS requirements applicable to the cloud environment.”
It also recommends that the encryption keys stay with the cloud customers, and not with the cloud provider. This not only protects against instances of the cloud provider being compromised, but also satisfies any data sovereignty and legal compliance concerns a customer may have if any organization attempts to access their secured credit card information without their direct involvement.
Of course CipherCloud specializes in cloud data encryption and key management, and the company is proud to be in step with PCI’s cloud security guidelines, but more than that, the PCI DSS Cloud Computing Guidelines Information Supplement makes it clear that if you are going to be sending sensitive data across the cloud you need to protect that data, which CipherCloud is firmly behind. In essence, if you do not meet these guidelines, then you should not be transmitting credit card information using the cloud.