PCI Hosting Information & Guide

The guide to PCI Compliance and PCI Web Hosting

Is Your Cloud Provider PCI Compliant?

The PCI DSS recently received a much-needed update that focused strictly on PCI compliance services in the cloud. These supplemental guidelines list a number of challenges associated with maintaining compliance in the cloud, not the least of which is recognizing who is held accountable in the event of a breach. If your cloud provider isn’t PCI compliant, you could be leaving yourself vulnerable.

The Road to Compliance

Achieving PCI compliance isn’t a static thing, like buying a PCI compliant dedicated server and then not thinking about compliance again. Instead, achieving compliance includes maintaining compliance as well. This means regular assessments of vulnerabilities, access logs, audit reports and more, all designed to help keep you protected from a security breach and your cardholder data safe and secure.

At the same time, more and more businesses are shifting their IT base of operations into the cloud. It makes sense; cloud computing is less expensive, doesn’t require constant hardware upgrades or a server storage facility and is much more scalable and flexible compared to traditional IT. This means that businesses are potentially shifting sensitive cardholder to the cloud as well, which makes that cloud fall into the scope of PCI compliance. How can you ensure compliance in the cloud, when you’re not responsible for the physical hardware involved?

Compliance by Association

It seems perfectly logical to assume that by using a cloud hosting provider who is PCI DSS compliant, it means that you’re compliant as well. In reality, clients and merchants don’t automatically achieve compliance just because their cloud provider has. While using a cloud service provider who is PCI compliant does help fulfill some of the PCI DSS technical requirements, you’re still responsible for due diligence when it comes to your own organization’s state of security.

Similarly, just because you’ve ensured that your business is PCI compliant before moving to the cloud that doesn’t mean that your cloud provider is compliant themselves; using a provider who is not compliant puts you in the arena of noncompliance, even if you are compliant in all other aspects of the PCI DSS guidelines.

Accountability in the Cloud

If you can’t achieve compliance by association, then who is held accountable if a cloud service provider turns out to be non-compliant? The supplemental guidelines specify that both parties are responsible for achieving and maintaining compliance. This requires a close level of cooperation and partnership to make sure all the bases are covered.

Since maintaining compliance requires an ongoing effort rather than a one-time investment, it’s definitely possible to split these duties with your cloud hosting provider. In fact, determining which party is responsible for different aspects of compliance should be part of your service contract; that way, no one is confused about their responsibilities.

Productive Partnership

No matter how much you trust your cloud provider, it’s not a good idea to take their assurances of compliance on faith alone. Validating the responsibilities of your provider is an important step, not only in achieving compliance but also in gaining peace of mind.

If your cloud hosting provider has already undergone a PCI audit, they should be able to share hard metrics with you, like dated documentation that shows a clear (and approved) compliance assessment, as well as what that assessment covered or excluded.

Although achieving compliance in the cloud is definitely trickier, don’t let that dissuade you from doing what’s right for your business. If you choose to use a cloud hosting provider, take the time to protect your business assets by ensuring compliance from all parties involved, and you should enjoy a long and happy partnership.