Regulatory compliance is an important aspect of cloud computing, and this more true than elsewhere in the case of businesses that interact with card payments. Given the sensitive nature of transactions, certain security standards have been evolved by Payment Card Industry (PCI), and need to be woven into your cloud architecture.
This should seem straightforward, but problems begin to emerge as we get closer to implementing these regulations.
Not clear guidelines
The first problem is that PCI has not issued concrete guidelines regarding the standard. That leaves enterprises on their own to prove that they are PCI-compliant, which naturally, has given rise to a certain state of confusion. The industry is working on the problem, however, and a special interest group has been created to study the backdrop and come up with recommendations. Until that happens, vendors and enterprises alike will have to set up their own standards.
The cloud poses unique security challenges for organizations. The system is distributed across a wide network, and does not come under the categorization of what was traditionally called the enterprise network. This means that segmenting and intrusion-prevention systems like firewalls and routers are not able to work that effectively anymore. Another problem is that of cloud bursting, which means businesses can’t exercise the same level of control for their applications and data. And while some companies have started implementing host-based controls, these are not yet fully backed by regulators, which may cause some disruption in future.
If you are a business processing, storing or interacting with card payments data, make sure you have a clear strategy on PCI regulations.