Organizations must ensure Payment Card Industry Data Security Standard (PCI DSS) compliance if they need to accept, transmit or store payment card data. With the constantly evolving nature of cyber attacks, the Payment Card Industry Security Standards Council updates rules and standards and defines new ones when required. Organizations just can’t rest after achieving compliance, but need to put in constant IT effort to maintain PCI DSS compliance.
Theft of card data and utilizing it for card fraud has reached phenomenal levels. The security of the POS device (card swiping device) or the systems where the card data are stored is the responsibility of the merchant. Card users can sue the merchant if their card data had been stolen due to insufficient security measures taken by the merchant.
In order to ensure PCI compliance, organizations (merchants) must adhere to certain stringent requirements. An “always secure” IT network must be maintained. Regular testing of the vulnerability of the networks must be done. Robust user and device access controls must be defined. A strong information security policy must be implemented. An effective device management/endpoint/antivirus solution must be implemented to stay protected from vulnerabilities and zero-day exploits.
Further, they must consult PCI DSS compliance experts and take the PCI DSS Self-Assessment Questionnaire to check out non-complaint areas. Based on the assessment, they must take adequate measures to plug-in the loopholes.
Considering the above-mentioned requirements, ensuring compliance would be no easy task. And it would be even more difficult for small and medium businesses. Cloud providers are a possible answer. Though it has been argued that ensuring PCI DSS compliance is difficult when adopting the cloud, the reality is that cloud providers can ensure compliance comparatively more easily through numerous facilitating tools. The resources now required for the organization would also be quite less.
The Payment Card Industry Security Standards Council regularly updates rules and standards in accordance with the evolving requirements. And it is easier to update in the cloud. The organization needs to subscribe/link only to the specific services that it requires. This is a significant advantage as the organization has to pay only for the specific services. The organization saves on IT infrastructure and IT experts needed to ensure compliance.
The onus of ensuring compliance is now in the hands of the cloud provider and this takes a huge burden off the shoulders of the organization. And as the cloud provider would be providing similar services to numerous organizations it would be better feasible for the cloud provider to maintain more sophisticated security measures and better IT security team.
Ensuring PCI DSS Compliance would hence be easier when an organization adopts the cloud with a reputed provider.