By Paige Leidig, chief marketing officer of CipherCloud

The electronic payments industry is witnessing a surge in cloud adoption. More and more financial organisations are seeing the advantages of using the cloud and how it can lower the costs, enable them to be more agile, and reduce their infrastructure.

Banks, merchants, service providers and payment processors are now using the cloud to store and process cardholder and payment information. Worryingly, though, many don’t understand their responsibilities for protecting their data in the cloud. Customers using the cloud assumed their provider satisfied many of the compliance requirements and therefore relied on the cloud providers to take care of their data.

As a result, the PCI Security Standards Council earlier this year released clarifications and clear steps to guide payment processors through their cloud adoption journey. Essentially, it clarified that cloud customers cannot shift responsibility to their cloud providers.

The updated cloud computing guidelines are for organisations that store, process or transmit cardholder information in any cloud environment including SaaS, PaaS, IaaS and hosted email. Its 52-page guidance calls for shared responsibility between cloud providers and cloud customers to ensure that cardholder data is protected and PCI-DSS compliant.

While the document advocates shared responsibility, the recommendation outlines new security responsibilities for cloud customers to protect their cardholder data according to applicable PCI DSS requirements. It also specifies that customers need to understand and have a level of oversight and visibility into their cloud providers’ security capabilities. The bottom line is, regardless of the security measures in the cloud provider’s arsenal, card providers are still responsible for securing cardholder data.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Clear guidance for compliance

Under the new guidelines, cloud customers must rethink their information protection model to minimise PCI risks. The following best practices can help card providers protect cardholder information and comply with the new PCI cloud security guidelines.

1. Cloud Encryption of Cardholder Data: As noted by the PCI Council, "ensuring that clear-text account data is never accessible in the cloud may also assist to reduce the number of PCI DSS requirements applicable to the cloud environment." This can be achieved by encrypting sensitive pieces of cardholder information transparently in real time before they are sent to the cloud using operations-preserving encryption and tokenisation that do not impact the usability of the applications.

2. Customers Retain Encryption Key Control: Encryption key management remains in the hands of the cloud customers. This contrasts sharply with other approaches where the cloud provider retains control over the keys that can decrypt cardholder information. So, even if a cloud provider is compromised, your payment information remains secure.

3. Key Management: The keys need to be stored and managed independently from the encrypted data. At a minimum they should be maintained in a completely separate network segment, and preferably not accessible by the cloud provider.

4. Full Data Sovereignty and Legal Compliance: Due to the dynamic nature of cloud operations, you may be unaware which country the information is actually stored and whether it’s accessible by foreign authorities and system administrators. This may result in concerns over data ownership and potential conflicts between domestic or international jurisdictional and regulatory requirements. By encrypting the data before sending it to the cloud, you can be assured that no information will be shared, even with law enforcement, without your direct involvement.

5. Restrict Business Card Holder Data On Need-to-Know Basis: By exclusively controlling the decryption keys, you – as data owner – can be confident that all data access is controlled by your own authorised personnel and will comply with the organisation’s internal need-to-know policies. No one at the cloud provider can access the information.

As many security experts will agree, wherever valuable data moves to, cyber crime will follow. This was the case with data on on-premise systems and its case in the cloud. And since new PCI and other regulatory mandates in 2013 are defining pegging security and compliance responsibility on cloud users, payment card vendors could face serious repercussions. It is vital that every company handling electronic payments complies.