We're a startup SMB that wants to process payments online for our customers and partners, but we're worried about PCI compliance because we outsource our payment card infrastructure to the cloud. This is a new and intimidating process for us. Where do we start? How do we figure out if we are using a
Processing payments online using a secure third-party payment processor is a great way to transfer a major portion of the burden of PCI DSS compliance out of your organization. This is an approach that many online retailers (especially smaller ones) use to allow them to focus on their business and leave the problem of PCI DSS compliance to someone else.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first thing you should do is verify whether the cloud provider you're considering is certified as a PCI DSS-compliant service provider. This is necessary to ensure both that the provider meets the security requirements of PCI DSS and that you will be protected from noncompliance claims in the event of a compromise. Visa maintains a global registry of service providers that have successfully submitted evidence of their PCI DSS compliance. You should look up your provider and verify that it has submitted a current report on compliance (expired validation dates are listed in red on the report) and that it is certified for your region(s). The region codes on the report are the following:
- NA: North America
- AP: Asia and the Pacific
- CEMEA: Central Europe, Middle East and Asia
- LAC: Latin America and the Caribbean
It's not possible to completely outsource PCI DSS compliance, but outsourcing cardholder data functions can dramatically reduce your compliance burden. For example, if you build your own payment-processing system, you will be required to complete the longest of the self-assessment questionnaires, SAQ D, which includes 49 pages of questions regarding your security controls. On the other hand, if you outsource all cardholder data functions, you can answer the shortest questionnaire, SAQ A, which has only 15 pages of questions.
Overall, you should definitely consider outsourcing cardholder data functions. This is an especially effective strategy for SMBs who simply do not have the staff or resources to build their own compliance systems.
This was first published in December 2012