The role of the cloud in the enterprise has accelerated significantly over recent years and its business benefits are becoming increasingly difficult to ignore. Cloud-based solutions are now available for a plethora of business issues ranging from storage and archiving through to virtual software and hardware. Not only are they more powerful, flexible and scalable than ever before, but they are often cheaper as well. Even cloud security, perhaps the one lingering argument against moving to the cloud, is more advanced and robust than in many on-premise solutions. It is for reasons such as these that the worldwide public cloud services market grew 17.2 percent in 2016 to total $208.6 billion, up from $178 billion in 2015, according to Gartner.
One area of business that can significantly benefit from the switch to a cloud-based approach is that of compliance. As incidents of data theft continue to rise, businesses that take payments either online or over the phone are obligated by law to ensure they offer customers the highest levels of data security possible through compliance with the 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS). However, many often struggle to maintain a robust and fully PCI compliant security solution in-house. Budgetary constraints, the rapid pace of technology evolution and a lack of internal resources are some of the most commonly cited reasons for this. However, in most instances, issues can be traced back to a bigger problem; the size of their Cardholder Data Environment (CDE) that needs protecting.
[easy-tweet tweet=”The benefits of moving to the cloud don’t end at reducing the scope of PCI DSS compliance” hashtags=”cloud, tech”]
PCI DSS compliance applies to an organisation’s entire CDE, which can be loosely broken down into four areas – data capture, data processing, data transmission and data storage. In simple terms, this means how payments are taken from customers (and who takes them), how that payment data is moved around within the organisation, and where it finally comes to rest. Contained within this are all of the physical and virtual components involved in each stage including the network (firewalls, routers etc), all point of sale systems, servers, internal and external applications and third party IT systems. Each of these components contributes to the overall scope of the CDE, which must be protected in full as part of PCI DSS compliance. The larger the scope, the more difficult and potentially expensive compliance becomes. As such, the key for many businesses is to try and reduce the size of their scope. Unfortunately for those who have chosen to take a fully on-premise approach, reducing their CDE scope is extremely difficult, but for those looking to the cloud, there are numerous cost-effective ways in which it can be achieved.
Reducing CDE scope using the cloud
By outsourcing key aspects of a cardholder data environment to a third party Cloud Service Provider (CSP), organisations can not only significantly streamline their business operations, but they can also pass on the PCI compliance responsibility for that area to the provider as well.
A great example of this is the implementation of a cloud-based secure telephone payment solution. If an organisation uses a traditional call centre to take and process telephone payments manually, every aspect of that call centre is in scope for PCI DSS, from the telephone agents themselves through to the computers, network and payment systems used. However, if the organisation switches to a cloud-based payment system, all of these aforementioned elements are taken out of the PCI DSS equation immediately. Why? Because at the point where a payment is required, customers are routed through to a secure, cloud-hosted platform where they enter their sensitive information via their telephone keypad. The call centre agents themselves no longer play any part in the collection or processing of the customer’s sensitive data and it never enters the call centre environment. As a result, all of those elements are removed from the scope of the CDE and responsibility for PCI compliance passes to the provider of the cloud payment platform.
The benefits of moving to the cloud don’t end at reducing the scope of PCI DSS compliance either. Many cloud service providers now boast data security measures and technology far superior to those available for on-premise solutions, which are updated regularly to ensure the data they contain remains safe, compliant and secure at all times.
In a relatively short period of time, cloud-based solutions have gone from a ‘nice to have’ business luxury, to an integral part of any successful operation. For those affected by PCI DSS compliance obligations, the power, security and flexibility offered by many cloud solutions today are impossible to ignore. Maybe it’s time to look to the cloud for their compliance needs?