Bankinfosecurity.com has an audio interview with Bob Russo of the Payment Card Industry Security Standards Council that highlights the Council’s recent guidance on cloud computing services and payment card data security.
The need for the guidance relates to the nature of cloud services and the presence in the market of so-called “public clouds,” where the cloud services provider offers its cloud as a shared service between multiple customers. Many segments of the payments industry are relying more and more on cloud services; consequently, Russo indicates, the responsibility for securing card data in the cloud (especially public clouds) is not so clear-cut.
From Bank Info Security:
“Cloud services provide an attractive opportunity for outsourcing,” says Russo, general manager of the Payment Card Industry Security Standards Council. “But from our perspective, we want to be sure organizations are aware of all of the risks before they entrust payment data and processing to a third party.”
On Feb. 7, the council released its PCI DSS Cloud Computing Guidelines Information Supplement , a set of best practices and guidelines developed by the PCI Cloud Special Interest Group.
Russo highlights the main point of the guidance: Know where card data is stored at all time. The challenge organizations face when storing card data in the cloud is that they lose an element of control. And sometimes card data can wind up being stored in multiple locations or in environments that are not well protected, he warns.
“Cloud is a shared responsibility,” Russo says. “Outsourcing the management of these security controls really doesn’t equate to outsourcing your responsibility to be PCI-DSS compliant. Cloud services are not all created equally, so you need to understand what PCI-compliant cloud service really means.”
Click here to read more from Bank Info Security.