Storing and Transferring Data in the Cloud (Securely): Myth or Reality?
For many companies that store or process payment card data, the search for a safe and secure way to store and transfer customer information in the cloud has led to a degree of what I refer to as "cautious" confidence. While they identify solutions or strategies that help them feel better in the short term, they're left with a feeling of overall dread as they anxiously await word of the next data breach, not so secretly rooting for it to be somebody else.
The road to PCI compliance with secure payment card data in the cloud can seem long and daunting, but the good news is that it's possible. It's not to be taken lightly or done without significant planning, however. I've identified four actions that are critical to make this a reality for retailers in today's data-centric, threat-driven world. Remember, every business should look at their own needs and balance them against security and compliance requirements, so this should be considered a starting point.
1. Understand the difference between PCI compliance and certification. It may sound obvious, but this is one of the biggest — and most important — things businesses must understand in order to protect themselves and their customers:
- PCI compliance is a self-assessment that can be reviewed and confirmed by an audit. This status is claimed by almost every financial services company. Even some companies not in the industry use this as a benchmark.
- PCI certification is the time- and resource-intensive third-party assessment that must be reviewed and confirmed by an audit. Traditionally, this was only relevant for level-one service providers (i.e., the big-time players).
While annual PCI certification is a top priority for many companies (taking up valuable time and resources), it's important that an IT team remain vigilant in PCI compliance throughout the year.
2. Get the business involved. Compliance isn't just a technology problem (even though some think it is); the reality is that compliance is comprehensive across the business. For example, it's necessary to educate and train staff across departments and write policy documents. When it comes time to achieve and demonstrate compliance, evidence of these things will be a requirement. Without rigorous processes in place, doing so is nearly impossible.
Identify a leader and, if possible, a dedicated team that makes securing and maintaining PCI compliance a priority. Treat it like you would a business problem, knowing that's exactly what it could turn into should the worst-case scenario take place.
3. Develop a plan. PCI compliance isn't "one and done." Rather, it's an ongoing practice, with some actions required on a daily or weekly basis. For example, to maintain a cloud environment that's PCI compliant, you have to consider things like firewall protection, anti-virus updates and encryption protocols. Many of these require internal team members to take specific actions in order to maintain this position — both in terms of compliance standards as well as a trusted data partner. Without a plan, it's far too simple to fall out of practice and become lax. And we all know what happens when security and compliance take a backseat. Have your team make a plan, revise it as necessary and make sure it always stays relevant.
4. Make education a priority. It's no secret that the threat landscape continues to change and evolve, requiring a new level of education, a commitment to staying on top of changes and new levels of self-protection. In this new landscape, there are important considerations to routinely think about, including the following:
- Your browser is like a keyhole in your database. Do you know how your web apps are connected to your database?
- Do you pass parameters from functions?
- Are employees properly trained and knowledgeable about phishing scams?
Make a list of trusted sources for industry updates and standards changes, and check it regularly. If you don't know where to start, here are just a few:
With all eyes on industry standards, breaches, privacy and consumer data, the burden falls to you to ensure data remains safe and secure — which is right where it should be.
Steve Hess is the vice president of product management at Ipswitch, a developer and marketer of software products and services.