PCI Council Issues Cloud Guidance

How to Minimize Risks to Card Data

By , February 7, 2013.
PCI Council Issues Cloud Guidance
Read Transcript

Outsourcing to the cloud poses new risks, especially for card data. The PCI Council addresses those risks in its just-released cloud security guidance, and Bob Russo offers exclusive insights.

"Cloud services provide an attractive opportunity for outsourcing," says Russo, general manager of the Payment Card Industry Security Standards Council. "But from our perspective, we want to be sure organizations are aware of all of the risks before they entrust payment data and processing to a third party."

On Feb. 7, the council released its PCI DSS Cloud Computing Guidelines Information Supplement , a set of best practices and guidelines developed by the PCI Cloud Special Interest Group.

In an interview about the new guidance with BankInfoSecurity, Russo highlights the main point of the guidance: Know where card data is stored at all time. The challenge organizations face when storing card data in the cloud is that they lose an element of control. And sometimes card data can wind up being stored in multiple locations or in environments that are not well protected, he warns.

"Cloud is a shared responsibility," Russo says. "Outsourcing the management of these security controls really doesn't equate to outsourcing your responsibility to be PCI-DSS compliant. Cloud services are not all created equally, so you need to understand what PCI-compliant cloud service really means."

Ensuring PCI Compliance

Russo says organizations should apply the guidance to their overall PCI compliance strategies.

"The guidance is for any organization that stores, processes or transmits card data," he says. "Merchants were involved in this document to give clarity in specific areas that merchants want to see. But this applies to anywhere cardholder data exists."

During this interview, Russo discusses why organizations must:

  • Review contracts carefully before signing with a cloud services provider;
  • Ensure security across the payments chain and understand the role each entity plays;
  • Assess risk when card data could potentially be stored in multiple locations.

Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. He guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. Russo works with representatives of American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Application Security: Four Key Steps

Last year, a number of application vulnerabilities led to compromises of many organizations'...

Latest Tweets and Mentions

ARTICLE Application Security: Four Key Steps

Last year, a number of application vulnerabilities led to compromises of many organizations'...

The ISMG Network