Your browser (Internet Explorer 6) is out of date. It has known security flaws and may not display all features of this and other websites. Learn how to update your browser.

Security on the Cloud: Does PCI compliance matter

The main concern companies have in migrating to the cloud is security. That in one sentence covers cloud computing greatest hurdle, as more and more companies are beginning to see the benefits (economically) of moving their infrastructure and data to the cloud, the major turn-off is control. In essence, the greatest advantage of cloud computing is also it’s biggest detractor. Companies (especially non-IT companies) are really interested in letting someone else run their IT infrastructure, but their uncomfortable letting someone else run the IT infrastructure due to the security concerns.

In my work, I often deal with PCI-DSS (Payment Card Industry Data Security Standard), which is a benchmark of sorts on how secure your servers are. In the banking world, any application,system or vendor hoping to store, transmit or process credit card information needs to be PCI-DSS compliant. If you thought pronouncing the acronym was difficult, adhering to and complying to the standard is even more so. In fact, the direction now is to use certain ‘tricks’ to avoid having to be PCI-DSS compliant, including implementing point-2-point encryption (thereby disregarding the need for PCI-DSS compliance on all intermediary systems) or using tokenazation (to replace the card number with a token that can redeemed from a secure vault). The main direction is clear, compliance to security standards is mandatory and non-negotiable, but it’s also expensive and time-consuming, and anything that can help reduce the effort and cost is really taking off (just ask shift4).

The major gist of it is this, security (especially information security) is now at the forefront of any IT discussion at even medium size companies (let along the Fortune 500). Just ask Sony how they felt when their servers got hacked. With hack groups like anonymous hacking into just about any server they deem fit, securing data, and especially if that data is your customers private data is of prime importance. The cost of failure far outweighs the cost of compliance, but the cost of compliance is still pretty high.

Which is why cloud computing isn’t picking up at the speeds it should be. IT executives like to see their servers in their own data center, protected by multi-level security they can feel, touch and smell. They like to be able to touch the Hardware Security Module that is tamper proof and will wipe itself out in case of intrusion, these tangibles make people feel safer, and it will always be the case. Psychologically you’ll feel safer behind a wooden box, than tempered glass even though the latter offers better protection. In order to feel secure, you need to see the security, that’s the way the world works.

However, the cloud operates on a different platform, in a data center even Amazon employees aren’t sure where, and in data centers that have been certified to the highest security standards. Security is expensive, but because of it’s scale and it’s experience is dealing with loads of credit card information, taking that leap to trust Amazon isn’t that hard.

Consider this, Amazon recently Level 1 PCI compliance. Which means,

“Organizations can now run their applications on AWS PCI-compliant technology infrastructure to store, process and transmit credit card information in the cloud. “

Thinks about it, if Amazons cloud is PCI compliant, it simply means that it’s secure enough (from PCIs view) to store credit card information and card holder names, the same type of data Sony recently lost.For the general public, this is the the most confidential piece of data they want secured. Now obviously, just because the infrastructure is secure doesn’t mean the processes are, and simply deploying your application on the cloud doesn’t make it PCI-DSS compliant by default, all it means is that Amazons storage facilities (like S3) and computing (EC2), and even EBS, all have a very high level of security, for something they charge in cents/hour. Trust me, if you want to deploy a PCI compliant infrastructure in your IT landscape it will cost you more.

I’ll end the post with a rather poignant quote from a techdirt article(entitled Innovation in Security).I glanced through today, and I think it introduces a new approach to security for organizations. Particularly to address the old way of thinking where if “I can’t see it , it’s not secure”.

I’ve been thinking more and more about this now that “cloud” storage has become a bigger issue. There are some out there who think that cloud storage means that you have “less” security, since your data is “out there.” And, in some cases, that might be true. But, consider this: if you store the data yourself, you’re responsible for your own security, and you might not be nearly as good as whoever is on the security team at the cloud storage provider.

In essence we’re seeing a reversal, instead of customers feeling edgy because they don’t have control of their data, customers are beginning to have a greater sense of comfort because their data is being stored in an environment far more secure than they could ever build themselves….and at a reduced price. Now who wouldn’t want that?

*as an additional note, post-thanksgiving Amazon processes about 30-40 THOUSANDS credit card transactions per SECOND. So if anyones pretty clear on how to protect cardholder data, it’s Amazon.

*picture courtesy of