We're a startup SMB that wants to process payments online for our customers and partners, but we're worried about...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
PCI compliance because we outsource our payment card infrastructure to the cloud. This is a new and intimidating process for us. Where do we start? How do we figure out if we are using a PCI-compliant cloud provider? What questions do we need to ask our cloud provider to make sure we are covered and compliant?
Processing payments online using a secure third-party payment processor is a great way to transfer a major portion of the burden of PCI DSS compliance out of your organization. This is an approach that many online retailers (especially smaller ones) use to allow them to focus on their business and leave the problem of PCI DSS compliance to someone else.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first thing you should do is verify whether the cloud provider you're considering is certified as a PCI DSS-compliant service provider. This is necessary to ensure both that the provider meets the security requirements of PCI DSS and that you will be protected from noncompliance claims in the event of a compromise. Visa maintains a global registry of service providers that have successfully submitted evidence of their PCI DSS compliance. You should look up your provider and verify that it has submitted a current report on compliance (expired validation dates are listed in red on the report) and that it is certified for your region(s). The region codes on the report are the following:
- NA: North America
- AP: Asia and the Pacific
- CEMEA: Central Europe, Middle East and Asia
- LAC: Latin America and the Caribbean
It's not possible to completely outsource PCI DSS compliance, but outsourcing cardholder data functions can dramatically reduce your compliance burden. For example, if you build your own payment-processing system, you will be required to complete the longest of the self-assessment questionnaires, SAQ D, which includes 49 pages of questions regarding your security controls. On the other hand, if you outsource all cardholder data functions, you can answer the shortest questionnaire, SAQ A, which has only 15 pages of questions.
Overall, you should definitely consider outsourcing cardholder data functions. This is an especially effective strategy for SMBs who simply do not have the staff or resources to build their own compliance systems.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.