Need help complying with PCI DSS? The cloud could have the answer.
By Tom Harwood, co-founder and CPO of Aeriandi
Cloud adoption has changed the business landscape, causing a massive shift in how organisations operate. Depending on your source (and there are plenty to choose from!) UK cloud adoption rates are currently anywhere between 78 per cent and 84 per cent.
Advanced economies around the world are increasingly worried about data theft, ranking it among the largest global concern for doing business, according to the World Economic Forum’s annual report on global risk. To help tackle this concern, one area of business that can significantly benefit from the switch to a cloud-based approach is that of compliance.
Businesses that take payments either online or over the phone are obligated by law to comply with the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS). However, budgetary constraints, the rapid pace of technology evolution and a lack of internal resources are some of the most commonly listed reasons that mean many organisations struggle to maintain a fully-compliant PCI security solution in-house. However, in most instances, issues can be traced back to a bigger problem; the size of their Cardholder Data Environment (CDE) that needs protecting.
PCI DSS compliance applies to an organisation’s entire CDE, which can be loosely broken down into four areas – data capture, data processing, data transmission and data storage. Associated with this are all the IT components such as the network (firewalls, routers etc), all point of sale systems, servers, internal and external applications and third party IT systems. Each of these elements contributes to the scope of the CDE. And the larger the scope, the more difficult and potentially expensive compliance becomes
How the cloud can reduce CDE scope
The key for many businesses is to try and reduce the size of their CDE scope. This can be difficult, particularly if the business has chosen to maintain a fully on-premises approach. This is why the cloud is becoming a far more attractive option, as there are numerous cost effective ways in which compliance can be achieved.By outsourcing key aspects of a cardholder data environment to a third party Cloud Service Provider (CSP) the PCI compliance responsibility is passed on to them.
A great example of this is the implementation of a cloud based secure telephone payment solution. If an organisation uses a traditional call centre to take and process telephone payments manually, every aspect of that call centre is in scope for PCI DSS, from the telephone agents themselves through to the computers, network and payment systems used. However, if the organisation switches to a cloud-based payment system, all of these elements are taken out of the PCI DSS equation immediately. This is because at the point where a payment is required, customers are routed throughto a secure, cloud-hosted platform where they enter their sensitive information via their telephone keypad. The call centre agents themselves no longer play any part in the collection or processing of the customer’s sensitive data and it never enters the call centre environment. As a result, all of those elements are removed from the scope of the CDE and responsibility for PCI compliance passes to the provider of the cloud payment platform.
For those who need to comply with PCI DSS obligations, the power, security and flexibility offered by many cloud solutions are impossible to ignore. Perhaps we will see a shift to the cloud for compliance purposes, because in a relatively short period of time, cloud-based solutions have gone from a ‘nice to have’ business luxury, to an integral part of any successful operation.
Tom Harwood is co-founder and CPO of Aeriandi
Founded in 2002, Aeriandi specialises in secure solutions that enable organisations to meet FSA and PCI DSS compliance obligations. It has spent over a decade investing in cloud-based design and architecture and is proud to work with some of the biggest names in banking, telecommunications, utilities, and travel.
Aeriandi also delivers PCI DSS Level 1 call recording solutions, which allow organisations to log, monitor and play back calls – including legacy calls – without the worry of breaking data laws or industry certification. Its range of customer intelligence solutions also help to make the most of rich customer data, improve productivity, deliver a better customer experience and boost customer satisfaction.
For additional Information on Aeriandi visit their Website