What to do when storing your payment card data in the Cloud

Cloud computing conceptOutsourcing your clients’ payment card data to a third-party Cloud provider doesn’t negate your accountability regarding data protection and PCI DSS compliance.

According to the PCI DSS, all parties involved in the payment card data flow process must accurately document and monitor their respective data storage and security responsibilities.

Cloud security is a shared responsibility between the Cloud service provider (CSP) and its clients.

Data flow diagram

A PCI DSS-compliant data flow diagram needs to demonstrate how the data is being shared, who it’s being shared with, in what formats, and how it is being used – clearly not an easy feat.  Organisations are often guilty of oversharing their data due to employees not always being careful to filter the data they send or share.

What adds to the complexity is trying to standardise audit processes across different suppliers to get a comprehensive understanding of the risks that each supplier exposes the organisation to.

Data classification

That’s why it’s critical to undertake a data classification exercise to understand which data is covered by the PCI standards, the locations the data is stored, and which parties have access to it.

The PCI DSS requires ‘business as usual’ compliance, which means continuously working with your suppliers to reduce the risks of falling short of PCI DSS compliance requirements.

Ongoing monitoring and validation

PCI DSS compliance requires ongoing monitoring and validation that controls are in place and working effectively. Even where a Cloud service is validated for certain PCI DSS requirements, it does not necessarily apply to the organisation’s own cardholder data environment.

Written agreement

From July 1 of this year, the PCI DSS requires organisations to maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data.

Contact IT Governance for a pre-audit PCI DSS gap analysis, for assistance with drawing up a supplier data flow diagram, or undertaking supplier audits and remedial actions to address any gaps. Call us now on +44 (0)845 070 1750 or email us at servicecentre@itgovernance.co.uk.

PCI gap analysis