Card transactions and cloud security
Paige Leidig says cloud data security issues must be ironed out to ensure payment card compliance
For many organisations considering a move to the cloud for business-critical operations, Payment Card Industry Data Security Standard (PCI DSS) compliance is a concern. In November, the PCI Security Standards Council (SSC) released version 3.0 of the standard, a third update to guidelines with which businesses and vendors have until 1 January 2015 to comply.
Cloud computing offers competitive advantages. But businesses must make sure they comply with the updated standard.
PCI DSS 3.0's Requirement 3.4 stipulates that a Primary Account Number (PAN) be rendered unreadable "anywhere it is stored", through measures such as strong cryptography. Cloud can make that a challenge; cloud backup and disaster recovery processes often result in the duplication of data, and copies may be moved around within and across datacentres and locations.
The solution to this is to catch and encrypt all sensitive information on the fly, at the point of transmission. By acting as a gateway through which all protected information must pass before it heads to the cloud, a cloud information protection platform can do that.
This way, data can be protected no matter how many copies are made of it or where it goes.
Cloud computing platforms can help to unify operations and improve collaboration and communication. As employees chat and trade information in the cloud, however, are they running the risk of violating the PCI DSS?
Requirement 4.2 in the standard forbids the sending of unprotected PANs through end-user messaging technologies. Unfortunately, the unstructured nature of instant messaging and email can make protecting the data a challenge.
Cloud data protection should work with cloud services and applications to ensure all protected data is detected and encrypted before it is shared.
Encryption is an important part of the PCI DSS compliance toolkit. But with encryption comes the need for encryption keys, and not all cloud encryption offerings are created equal. Some allow the services providers to have access to the company's keys.
This increases the chance that a company will violate the standard's Requirement 3.5, which makes organisations responsible for protecting encryption keys "against disclosure and misuse".
Cloud services providers should not have access to them. Neither should encryption providers. Enterprises should retain full control over their encryption keys for maximum cloud data security.
Paige Leidig is senior vice president at CipherCloud