Storing and Transferring Data in the Cloud (Securely): Myth or Reality?
For many companies that store or process payment card data, the search for a safe and secure way to store and transfer customer information in the cloud has led to a degree of what I refer to as "cautious" confidence. While they identify solutions or strategies that help them feel better in the short term, they're left with a feeling of overall dread as they anxiously await word of the next data breach, not so secretly rooting for it to be somebody else.
The road to PCI compliance with secure payment card data in the cloud can seem long and daunting, but the good news is that it's possible. It's not to be taken lightly or done without significant planning, however. I've identified four actions that are critical to make this a reality for retailers in today's data-centric, threat-driven world. Remember, every business should look at their own needs and balance them against security and compliance requirements, so this should be considered a starting point.
1. Understand the difference between PCI compliance and certification. It may sound obvious, but this is one of the biggest — and most important — things businesses must understand in order to protect themselves and their customers:
- PCI compliance is a self-assessment that can be reviewed and confirmed by an audit. This status is claimed by almost every financial services company. Even some companies not in the industry use this as a benchmark.
- PCI certification is the time- and resource-intensive third-party assessment that must be reviewed and confirmed by an audit. Traditionally, this was only relevant for level-one service providers (i.e., the big-time players).
While annual PCI certification is a top priority for many companies (taking up valuable time and resources), it's important that an IT team remain vigilant in PCI compliance throughout the year.