This page contains a Flash digital edition of a book.
34


SPOT THE DIFFERENCE: MAKING THE DISTINCTION BETWEEN PCI-DSS COMPLIANCE CLAIMS AND REALITY


Cloud hosting providers have been leaping on the PCI DSS bandwagon in recent times and every provider today will have made adjustments to their services in order to meet ever growing compliance demands. The problem lies, says Daniel Beazer, in the fact that not all CSPs that say they are PCI compliant actually are; at least not as far as their marketing materials would have you believe.


It’s easy to see why hosters and cloud provid- ers are keen to attain Payment Card Indus- try (PCI) compliance. After all, websites that have an e-commerce function are generating revenues and are the type of customers all businesses are keen to target. From the cloud user’s point of view however, this compliance hard sell can be problematic. In these times, it is absolutely vital that a cloud customer un- derstands how to differentiate bold PCI claims from the actual services provided as they eval- uate their options for moving into the cloud. When it comes to unfounded claims around compliance, the sounding of alarm bells is not limited to Internet industry insiders alone; many are troubled by claims being made by hosting and cloud provid- ers. Neira Jones, who is a widely respected head of payment security at Barclaycard, spoke at the last Merchant Risk Forum about the number of companies exhibiting at Internet World claiming to be PCI compli- ant but with little evidence to support such statements.


LEFT IN THE DARK


Online retailers, charities and other organisations taking credit card payments don’t necessarily have the expertise Neira Jones has, but for the sake of their business are still required to tell whether a PCI complaint badge on a site is a marketing tool or the


CCI Magazine January 2013


mark of a useful service. How can these organisations go about doing so and what are the steps they need to take to ensure they aren’t left in the dark as far as PCI compliance is concerned?


PCI Data Security Standard (PCI DSS) regu- lations concern the processing, transmission and storage of confidential card payment data – these measures cover all aspects of credit card payments, from how to deal with paper credit card slips to anti- virus software.


The fact that the standard is so broad and com- prehensive can be problematic. Providers can select which of their services to include in a PCI assessment and, given the comprehensive and very prescrip- tive nature of the requirements, not all providers are prepared to have all of their services assessed. The result is that many opt to select some of the easier controls to meet such as 9.1 (‘Restrict physical access


The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary infor- mation security standard for organisations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and Point of Sale cards.


CLOUD FACTS www.cloudcomputingintelligence.com


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68