Business IT operations moving onto the Cloud has many advantages. Remotely storing information can speed processes up as bandwidth is not occupied by large volumes of data. It is also almost impossible to lose valuable data stored on the Cloud as it is backed up in several different locations simultaneously. Accessibility is also hugely improved with data immediately available from different devices and any location. Cloud storage is also significantly cheaper than traditional server storage for companies with large volumes of data.
However, there are also disadvantages. The main concern over Cloud storage is that of security. Having sensitive data hosted on the Cloud and ‘commingling’ with data of other organisations gives some people and organizations concern.
Payment Compliance is a particularly sensitive business operation that is now largely moving to Cloud-based solutions. The fact that the payment information of clients is now often Cloud-hosted means that companies have to adapt their payment compliance to a new Cloud-based reality. The payment card industry has set up a dedicated special interest group, PCI SIG, focused on helping companies comply with PCI data security standards as they embrace the many advantages of Cloud-based payments solutions.
Payment Compliance entrepreneur River Cohen believes that the report released by PCI SIG in 2013, covering PCI compliance in a Cloud-based environment, is still very much relevant today. Here are some of the questions the report suggests companies ask themselves with regards Cloud-hosted payments infrastructure.
Is a Cloud-Based Hosting Environment Somewhere Your Compliance Can Be Scaled?
One commonly encountered problem with clout hosted compliance is that software agents, commonly used as an antivirus mechanism, can impact on operations and increase costs when multiple agents are installed on multiple virtual machines. Because software agents take up memory and processing capacity, they were not originally built to be scaled in a virtual environment. This is something that payment compliance IT teams have to be prepared to preempt and tackle.
Does The Cloud Service You Use Have Compatible Compliance Standards?
Not every cloud service provider is PCI compliant. If the service provider you use is not then it is your responsibility to obtain and maintain PCI certification for the data hosted there. In most scenarios it probably makes sense to use a CSP that is PCI compliant but if not you will have to assess your CSP partner’s infrastructure and processes in the same way your internal structures, which can be a complicated requirement.
How Secure is your Cloud-Hosted Data?
You will have to constantly monitor and ensure that your sensitive data is correctly managed to prevent potential errors that could leave it vulnerable. The virtual machines used in cloud services are often activated and deactivated and at these moments it is potentially possible that sensitive data could be exposed if the correct safety mechanisms are not in place.
*This post was published according to the "Contributed Article Terms and Conditions"