However, it can be a struggle to maintain a fully PCI compliant security solution in-house. Technology is constantly evolving, and to keep on top of this can be draining on budget and on internal resources. Having said this, another compliance challenge is that the size of the company’s Cardholder Data Environment (CDE) needs fully protecting.
This is because PCI DSS compliance applies to an organisation’s entire CDE, which can be loosely broken down into four areas – data capture, data processing, data transmission and data storage. Contained within this are all of the physical and virtual components involved in each stage including the network (firewalls, routers etc), all point of sale systems, servers, internal and external applications and third party IT systems. Each of these elements contributes to the overall scope of the CDE, which must be protected in full, and the larger the scope, the more difficult and potentially expensive compliance becomes.
How the cloud can reduce CDE scope
The key for many businesses is to try and reduce the size of their CDE scope. This can be difficult, particularly if the business has chosen to maintain a fully on-premises approach. Therefore, the cloud is becoming a far more attractive option, as there are a number of cost effective ways in which compliance can be achieved. By outsourcing key aspects of a cardholder data environment to a third party Cloud Service Provider (CSP) the PCI compliance responsibility is passed on to them.
A good example of this is the implementation of a cloud based secure telephone payment solution. If an organisation uses a traditional call centre to take and process telephone payments manually, every aspect of that call centre is in scope for PCI DSS, from the telephone agents themselves through to the computers, network and payment systems used. However, if the organisation switches to a cloud-based payment system, all of these elements are taken out of the PCI DSS equation immediately. This is because at the point where a payment is required, customers are routed through to a secure, cloud-hosted platform where they enter their sensitive information via their telephone keypad. The call centre agents themselves no longer play any part in the collection or processing of the customer’s sensitive data and it never enters the call centre environment. As a result, all of those elements are removed from the scope of the CDE and responsibility for PCI compliance passes to the provider of the cloud payment platform.
For businesses that need to comply with PCI DSS obligations, the power, security and flexibility offered by many cloud solutions are impossible to ignore. The cloud can help close the gap between resource and requirement, offering an affordable and proven route to PCI compliance. And it’s more than just ticking the compliance box – IT teams operating without the PCI burden on their daily agenda can focus on broader tech strategies, meaning that these cloud-based solutions have become an integral part of any successful operation.