Q

PCI compliance in the cloud: Can cloud service providers manage PCI?

PCI compliance in the cloud is controversial, so can a company really trust cloud service providers to manage their PCI DSS compliance?

Our organization is considering signing on with a cloud services provider that guarantees compliance with PCI DSS

by essentially taking responsibility for our compliance. Do you have any advice as we perform our due diligence?

Ask the Expert!

Got a vexing compliance problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Outsourcing credit card processing is an extremely promising way to handle PCI DSS compliance, and one I highly encourage organizations to look at closely. After all, consider your organization’s primary business: It might be selling widgets, booking travel reservations or processing website memberships; it’s probably not credit card security. Whether we like it or not, meeting PCI DSS requirements is a distraction from our real businesses.

Outsourced credit card processors, however, are in the business of credit card processing and security. They can afford to dedicate significant resources to compliance and then spread that cost across all of their clients. These cloud service providers (CSPs) can not only do a better job of securing credit card data than you can with your internal resources, they can probably also do it less expensively.

The key thing enterprises should do when considering using an outsourced service provider is verify their listing on the Visa Global Registry of Service Providers (.pdf). This list includes all service providers who have been validated as PCI DSS-compliant by a Qualified Security Assessor (QSA). Any service provider you consider should appear on this list.

It’s important to remember, however, that outsourcing credit card processing is not a panacea. Any provider who makes you a promise of “complete, guaranteed outsourced PCI DSS compliance” is probably pulling the wool over your eyes, at least a little.  Yes, it is certainly possible (and advisable in many cases) to outsource card-processing activities and reduce organizational risk.  However, you can never completely absolve yourself of PCI DSS responsibilities.  Even merchants who have outsourced all card operations to a compliant service provider must still complete Self Assessment Questionnaire A (SAQ A), which asks about a dozen questions about physical security and the management of card-processing service providers.

The bottom line is, as long as you accept credit cards, you will probably never be able to completely remove yourself from the PCI DSS compliance process.  That said, with judicious use of outsourcing, you can make your life a whole lot easier.

This was first published in June 2012

Dig deeper on PCI Data Security Standard

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close