Choosing the right cloud company can be the difference between reducing the headache that is PCI DSS and increasing that headache 100 fold.
With so many cloud service providers claiming PCI compliance and the ability to offer PCI-compliant cloud services, which service provider is going to tick the boxes you really need? And on a more fundamental level, do you really need a compliant cloud?
PCI DSS has been around for years and its demands aren’t going away any time soon. In fact quite the opposite: with talks that the next push will be a requirement for businesses to confirm their service providers are PCI compliant, it is now more important than ever to make sure your provider can prove their PCI credentials.
This is as true for a small e-commerce company hosting with a local web hosting company as it is for a multi-million pound corporate entity hosting in their own private cloud.
What should you expect when signing up for a compliant cloud solution?
The PCI Security Standards Council have put in-place a set of strict rules when it comes to PCI-compliant cloud service providers and, depending on the level of security you require, will dictate which requirements you can expect to have covered by your service provider as well as those which you will need to deal with internally.
Simply by signing up to a PCI-compliant service provider does not mean you are PCI compliant yourself. It is crucial that you check you are using the service provided in a compliant manner. The right service provider can tick a lot of boxes in terms of hosting, but there will always be non-infrastructure aspects, outside of your service provider’s remit, that require your close attention. It is impossible to take away your need for certain internal PCI measures and it is ultimately your own responsibility to maintain PCI compliance.
So, if you are considering moving your business hosting into the cloud and require a PCI-compliant service provider, the importance is to check that they are able to cover the elements that are important to you.
Do you need a PCI-compliant cloud?
While sometimes open for lengthy debate, the simple and safe answer is that if your website or any part of your infrastructure takes, transmits, processes or stores any form of cardholder data, then chances are you will need a form of PCI-compliant hosting.
There are often grey areas around this, with some companies insisting that a payment portal (usually making use of an iframe or similar technology) enables them to keep themselves out of the scope of PCI DSS. With the very real threat of someone being able to compromise the site in question and re-direct the payment page to one of their own, the possibility of someone successfully hijacking a potential client’s card details without anyone being aware shows just how in-scope that merchant really is.
The key here is to remember that almost every company, whether embarking on PCI DSS or looking to maintain compliance, has a unique scope. As such, the only way to confirm the need for a compliant solution on the basis of PCI DSS, is to talk to a specialist.
So, what does a compliant cloud mean for you?
The answer is different for everyone. If you require a service to take away that PCI DSS headache, potentially a lot. The ability to outsource as much as possible but still maintain control, all the time being helped through your own internal compliance procedures and processes, can save not only money but also considerable amounts of time.
If you are a company that takes any form of credit or debit card information, a compliant cloud solution and the security it brings could very well be the solution you have been looking for.
Here at ServerChoice we are proud to be a PCI DSS V3.0 as a Level 1 Service Provider, the highest level available. As one of the first service providers in the UK to achieve this and thanks to our bespoke compliant cloud hosting solutions, we are positive that our clients will be able to tick off their ‘compliant service provider’ PCI requirement with maximum confidence.
We additionally offer a variety of complimentary services, such as penetration testing, PCI and information security consultancy, and ISO 27001 consultancy and auditing. So whether you’re looking to gain or maintain compliance, or just want peace-of-mind, we can help you become as secure as you can be.