Handling credit cards is serious business made all the more so by the regulations and subsequent penalties for failing to comply with Payment Card Industry (PCI) standards. But meeting those standards can be a bit tricky, as we learned in A Small Business Guide to PCI Compliance.
There are numerous PCI-DSS security standards itemized and defined on the official PCI Security Standards Council website that must be met but, hey, why not take the easy way out and just turn the whole thing over to a cloud provider? Just wash your hands of the confusing situation and walk away happy, right?
Not so fast. It turns out that not all cloud providers are created equal, at least not in terms of PCI compliance. Nor are cloud providers necessarily wrong in claiming PCI compliance even when that claim still leaves your company in noncompliance.
When a cloud provider says it was tested and found to be PCI compliant it is likely making an accurate claim. The problem is that a cloud provider can specify what portion of its product or service is to be tested for compliance. And while that portion may indeed pass the test, that doesn't mean the entire offering is PCI compliant. Therefore, a claim that a cloud provider is PCI compliant really doesn't tell you much in itself. You need more information.
To complicate things further, PCI compliance requires a holistic approach to credit card security, which means you still have to guard your customer's credit card info within your operations even if you are using a PCI compliant cloud provider to handle the actual processing.
Bottom line, you need to look past the labeling and the marketing claims and find out exactly what "PCI compliant" means both to the cloud provider and in the eyes of the law -- before you find yourself explaining to the authorities what went wrong.
Cloud PCI Compliance Does Not a Compliant Merchant Make
So, you checked out everything with that cloud provider, and you found they're on the up and up regarding PCI compliance. So, everything's good, right? No, not necessarily.
"PCI compliance is additive meaning that it's a combination of the merchant's compliance, plus their service provider's compliance, plus the compliance of any payment applications they use," says Mike Dahn, a data security specialist. "Think of it like a stack or a sandwich. You add one part on to the other to make the whole."
In other words, just because one part of that stack, such as your cloud provider, is PCI compliant doesn't mean the rest of the stack is. It's the level of security compliance completion on each and every layer of that stack that defines whether or not you are PCI compliant in the eyes of the law.
"Be careful when a vendor says this makes you PCI compliant," advises Matt Malone, a consultant at ASSERO Security. "It makes the small piece they handle compliant, but the small business often overlooks its part in PCI, such as employee awareness training, security policy, and testing."
Certainly any breach that happens on the ground isn't covered under your agreement with the cloud provider. "The largest risks are not in the clouds but in the trash cans and in employee theft," says Malone.
You must make sure that customer credit card information is not easily accessed or stolen by employees or tossed in the trash for thieves to mine. PCI compliance means that the customer's credit card information must be protected throughout the entire purchasing process.