What are the core security challenges relating to PCI DSS compliance that we should be aware of when migrating...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
our Web-facing application infrastructure to a public cloud? How can we address PCI compliance in the cloud?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first thing you should do is carefully review the recently released Payment Card Industry Data Security Standard (PCI DSS) 2.0 Cloud Computing Guidelines, available on the PCI Security Standards Council website. This document contains a wealth of information regarding the responsibilities of both merchants and service providers in a cloud environment, and does an excellent job helping you understand the types of controls that must be put in place.
Cloud computing solutions must comply with exactly the same standards as any other type of PCI DSS environment. In fact, most merchants already rely on some form of cloud service to assist them with the processing of credit card transactions. The difference when considering moving Web applications to the cloud is that you are often considering vendors that might not have deep PCI DSS experience.
If your cloud vendor will be directly storing, processing or transmitting credit card information (as opposed to merely handing customers off to a third-party payment gateway), you should verify that they appear on the Visa Global Registry of Service Providers and that their registry entry includes the service you are selecting. This assures you they have filed a Report on Compliance and are PCI-compliant. If you choose to use a cloud service that is not on the registry, understand that you will have to include that provider's infrastructure within the scope of your own PCI DSS assessment. I strongly suggest you don't put yourself in that situation.
You also must remember that simply choosing a compliant service provider does not make you PCI-compliant. Depending upon the type of service you purchase from that provider, you must take steps to ensure that the way you use those services is also compliant. For example, if you simply purchase Infrastructure as a Service computing cycles from a provider, you must still configure the Web server and develop Web applications in compliance with the PCI DSS and PA-DSS guidelines.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.