Cloud Services and PCI Compliance: Is it Even Possible?

Cloud servicesCloud services are becoming a popular form of web hosting.

Basically cloud hosting is a type of web hosting service that is scaled to meet each client’s needs. The client only pays for the space and system time used (kind of like a time-share condo). Cloud hosting is flexible and can grow or decline based on the client’s needs.

Cloud hosting is easy and maintenance free, which is why so many businesses are turning to cloud for their web hosting service. Basically, the service provider supplies the hardware and software and also implements all of the administration tasks related to the service such as IT management. This proves very beneficial for entrepreneurs and small businesses because it is easy to access and they don’t have to find space for equipment such as servers and storage systems. They also don’t have to worry about hiring an IT tech or consultant. Some of the top companies that offer cloud services include Amazon, Rackspace Cloud, Office Time, Sage One and Itunes. Of course there are many more to choose from.

Although there are many benefits to cloud services, concern has been raised about security and the risk of identity theft. Anyone who accepts credit cards as payment should be well aware of the PCI DSS (Payment Card Information Data Security Standard) which is a standard set forth to ensure that sensitive credit card information is stored and handled in a secure way. In order to accept card payments, a business must be PCI complaint.

Many people believe it is impossible to be PCI Compliant when using cloud hosting services, but that’s not true. The PCI Security Standards Council has recently released a standard concerning those using cloud services (read the standard in its entirety here). The basics of the standard states that the responsibility for PCI Compliance when using cloud services  is shared: it falls on both the service provider and the merchant.

Basically, the service provider is responsible for making sure firewalls and security measures are in place on the overall infrastructure and internal networks. The client needs to make sure that everything inside their environment and website is safe. This can make compliance more difficult or easier depending on how it is approached.

In one way compliance with cloud is easier in the fact that you don’t solely have to fulfill all the requirements. But being compliant requires communication and working with your service provider to make sure that their side of compliance is fulfilled. This may make things difficult if communication is a problem. Some big companies like Amazon and Rackspace are already PCI Compliant which makes compliance a lot easier.

For the most part, the ease of PCI compliance when using cloud services will come down to determining the responsibilities for both the service provider and client and having the ability to communicate and work together to become PCI compliant.


Speak Your Mind