PCI Compliance in the Cloud: Hazards in the Fog - Page 3

By Pam Baker
  • Print Article
  • Email Article

Infrastructure vs. Services in Cloud PCI Compliance

One of the things you need to understand in weighing PCI compliance among cloud vendors is whether they are referring to infrastructure or services.

"When you're talking about cloud infrastructure, such as Amazon AWS or the Rackspace cloud offerings that provide PCI compliance, that's basically covering just the physical security and environment controls you need in place to be PCI compliant -- but does not make you PCI compliant in themselves," explains John Locke, manager at Freelock Computing, a Web development company specializing in the Drupal open source content-management system.

"You still have a lot of analysis work to determine whether you actually are PCI compliant -- just because you're in a compliant environment doesn't make you compliant," he says.

However, since PCI-compliant infrastructure is a pre-condition for compliance you do need that -- either in the cloud or in your own datacenter. So, which is safer in terms of compliance?

"Depending on cloud-based infrastructure for a PCI-compliant application does add a slight amount of risk in that you trust that third party with your data," says Locke. "But these providers have been audited, tested, and they've spent a lot to ensure that your data is safe. It's probably much better than a small business could afford to do."

"So all that said, if you're doing e-commerce you should still go to specialist vendors to make sure everything above that infrastructure is done right," he added.

Cloud Services and PCI Compliance

Now, if the vendor is talking about services rather than infrastructure, then that's a whole another ballgame.

"For hosted services and applications, it's a completely different matter," says Locke. "If you are using a vendor who takes credit cards directly on your behalf, you have essentially outsourced all the payment functionality, and the risk, to that vendor."

"For example, if you're going to use Square or PayPal to collect payments, you don't have to worry about PCI -- if something goes wrong with their systems, they will be held responsible, not you," he says. "Obviously you want to vet these services before making use of them, but PCI itself doesn't necessarily enter the equation."

Certainly such services are growing in popularity among small business owners, particularly the very small companies. However, the cost of such services can grow too high if you're processing a lot of payments. Still, the allure of simplicity is strong.

Vinay Sahni, founder of SupportFu, a help desk ticketing system producer for small businesses agrees. "As a startup that accepts credit cards for the purposes of recurring payments, we were able to completely circumvent PCI compliance issues by using Stripe as our payment provider," says Sahni.

"They've created amazing technology where the customer never leaves our site, but the credit card number is never sent through our infrastructure."

Pam Baker has written for numerous leading publications including, Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, the NY Times, and Knight-Ridder/McClatchy newspapers.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!

Page 3 of 3

Previous Page
1 2 3
This article was originally published on October 26, 2012
Thanks for your registration