By Paige Leidig, chief marketing officer of CipherCloud
The electronic payments industry is witnessing a surge in cloud adoption. More and more financial organisations are seeing the advantages of using the cloud and how it can lower the costs, enable them to be more agile, and reduce their infrastructure.
Banks, merchants, service providers and payment processors are now using the cloud to store and process cardholder and payment information. Worryingly, though, many don’t understand their responsibilities for protecting their data in the cloud. Customers using the cloud assumed their provider satisfied many of the compliance requirements and therefore relied on the cloud providers to take care of their data.
As a result, the PCI Security Standards Council earlier this year released clarifications and clear steps to guide payment processors through their cloud adoption journey. Essentially, it clarified that cloud customers cannot shift responsibility to their cloud providers.
The updated cloud computing guidelines are for organisations that store, process or transmit cardholder information in any cloud environment including SaaS, PaaS, IaaS and hosted email. Its 52-page guidance calls for shared responsibility between cloud providers and cloud customers to ensure that cardholder data is protected and PCI-DSS compliant.
While the document advocates shared responsibility, the recommendation outlines new security responsibilities for cloud customers to protect their cardholder data according to applicable PCI DSS requirements. It also specifies that customers need to understand and have a level of oversight and visibility into their cloud providers’ security capabilities. The bottom line is, regardless of the security measures in the cloud provider’s arsenal, card providers are still responsible for securing cardholder data.
Clear guidance for compliance
Under the new guidelines, cloud customers must rethink their information protection model to minimise PCI risks. The following best practices can help card providers protect cardholder information and comply with the new PCI cloud security guidelines.
1. Cloud Encryption of Cardholder Data: As noted by the PCI Council, "ensuring that clear-text account data is never accessible in the cloud may also assist to reduce the number of PCI DSS requirements applicable to the cloud environment." This can be achieved by encrypting sensitive pieces of cardholder information transparently in real time before they are sent to the cloud using operations-preserving encryption and tokenisation that do not impact the usability of the applications.
2. Customers Retain Encryption Key Control: Encryption key management remains in the hands of the cloud customers. This contrasts sharply with other approaches where the cloud provider retains control over the keys that can decrypt cardholder information. So, even if a cloud provider is compromised, your payment information remains secure.
3. Key Management: The keys need to be stored and managed independently from the encrypted data. At a minimum they should be maintained in a completely separate network segment, and preferably not accessible by the cloud provider.
4. Full Data Sovereignty and Legal Compliance: Due to the dynamic nature of cloud operations, you may be unaware which country the information is actually stored and whether it’s accessible by foreign authorities and system administrators. This may result in concerns over data ownership and potential conflicts between domestic or international jurisdictional and regulatory requirements. By encrypting the data before sending it to the cloud, you can be assured that no information will be shared, even with law enforcement, without your direct involvement.
5. Restrict Business Card Holder Data On Need-to-Know Basis: By exclusively controlling the decryption keys, you – as data owner – can be confident that all data access is controlled by your own authorised personnel and will comply with the organisation’s internal need-to-know policies. No one at the cloud provider can access the information.
As many security experts will agree, wherever valuable data moves to, cyber crime will follow. This was the case with data on on-premise systems and its case in the cloud. And since new PCI and other regulatory mandates in 2013 are defining pegging security and compliance responsibility on cloud users, payment card vendors could face serious repercussions. It is vital that every company handling electronic payments complies.