Way back in the dark ages of 2013 the PCI Security Standards Council (PCI SSC) released a document regarding processing credit cards in the cloud. It was 52 pages.
This month the PCI SSC released a new version of that same document. It is now 83 pages.
This version seems to better understand the risk of the cloud – where you don’t even know what precise infrastructure you are running on.
Ultimately, if you accept credit cards, you own the risk and contractually, you are responsible, even if the cloud provider says “trust us”. For a copy of the new standard, click here.
Information for this post came from The Register.
What does this mean for you?
Of course, if you don’t accept credit cards, then it is not a concern, but most organizations do accept payment cards in some form.
Some companies have outsourced payment cards to companies like Paypal or Square. That used to mean that you weren’t accountable for security, but that changed a couple of years ago. The requirements are simpler, but you still are responsible.
But lets say you are a company that does e-commerce and the servers run in the cloud. You may collect the credit card info and hand it off to a gateway. This applies to you.
In general, all companies that accept credit cards are required to complete an assessment at least once a year. The PCI Council has created over a dozen different assessments, depending your configuration.
For everyone but the largest players, you can do the assessment yourself. You can also get an outside provider to help you complete the assessment. We call this a guided self-assessment. You are responsible for the results, but we can help you navigate the process.
Your credit card processor can fine you or drop you altogether if you do not provide them your completed assessment if they ask.
Also, the assessment is pass-fail. Either you answer all the questions correctly, or your fail. One NO is a fail.
If you have questions, please give us a call.