Outsourcing and PCI Compliance: Who is Responsible?

During a difficult economy, virtualization and cloud hosting represents a viable solution for cutting costs while increasing company productivity and IT services. Many companies are considering the use of virtualization and cloud hosted Services as a means for reducing IT costs through hardware consolidation. 

 But what happens to compliance standards and service level agreements that must be maintained if you decide to use virtualization and cloud hosted Services?  Who assumes this responsibility especially when the protection of customer data is at stake?

 Looking at it from the perspective of PCI compliance can provide you with a general idea of how data security standards are met when you use new technologies such as virtualization and cloud hosted Services to store sensitive data.  In the age of ecommerce and new technologies you will find many definitions of what is cloud computing when you ask different companies. 

 For example, a few companies see cloud computing as a “pay as you go” service which is scalable where other companies will say that cloud computing is the use of earlier computing methods minus the complexities of technology deployment.  Different perceptions of The Cloud raise the question of where data security standards fit in and who is taking responsibility in The Cloud.

 PCI Compliance Defined

 PCI compliance refers to the Payment Card Industry standards which are defined by the PCI Standards Security Council.  These are standards which are uniform worldwide standards that are in place to protect both the ecommerce entity and the consumer against data intrusions.  Compliance is awarded when the standards within an organization have been met.  The standards apply to any organization that processes and stores cardholder data.

 So what happens when cardholder data is handled and stored in The Cloud?

 According to the National Institute of Standards and Technology (NIST) there are three different service models that accompany cloud hosting which include Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). 

• SaaS:  Software as a Service is software that is offered by the cloud hosting service which the company accesses over the Internet via a web browser.
• PaaS:  Platform as a Service is infrastructure that is provided and maintained by the cloud hosting provider.  The company accessing this type of service defines the configurations in accordance with company requirements.
• IaaS:  Infrastructure as a Service allows a company to have control over the operating systems and software applications while the cloud hosting provider manages the underlying network constituents.

In terms of PCI compliance the standards are determined according to how cloud computing is utilized according to these three different service models.  If the company chooses a cloud hosting service or they decide to manage cardholder data onsite the type of implementation which is used will be the determining factor for the PCI DSS or PCI Data Security Standards which must be met in accordance with the PCI Standards Security Council.  The bottom line is you must take the method of implementation into consideration if you are going to be handling cardholder data and other sensitive consumer information. 

If you are seeking to simplify IT management and reduce the cost of implementing and maintaining data infrastructure, contact Thrive Networks today for assistance with designing a bulletproof cloud strategy that caters to the individual needs of your business.

Comments

About Author