Summarize the Payment Card Industry Data Security Standards (PCI / DSS). Explain how CSPs can ensure compliance. Include ramifications for non-compliance.
The Payment Card Industry Data Security Standards (PCI / DSS) are security standards for protecting payment card information on the web; this also applies to credit card and personal information stored in the Cloud. Thanks to a list of requirements provided by the PCI Security Council, organizations can follow its structure and procedures in their goal to be, and remain, compliant. PCI / DSS includes and is measured by audits, which also ‘graciously” divvies out fines and other forms of punishment for non-compliance with their standards. In PCI compliance, some responsibilities lie with the Cloud vendor, some with the client, and some are shared responsibilities between the two; the situation depends on the cloud infrastructure used.
Ensuring that an organization meets the associated standards, it is recommended to make sure SLAs define that the Cloud vendor will keep up their end of the compliance ‘deal’; these steps should be stated upfront. There are several methods to stay compliant and increase the general security of one’s data on the cloud, such as first figuring out what acts and standards apply to your organization and its customer’s data, such as the Family Education Rights and Privacy Act (FERPA) for educational establishments. Ensuring that the organization and the CSP maintain direct control over all records stored, managing/preventing vendor access, enforcing adequate encryption schemes and methods, and handling data deletion correctly, are all methods that can prevent hefty fines or negatively-impacted accusations and data breaches. In today’s world, how organizations handle our data seems to finally be on the minds of all, as the vast amount of our personal information is practically available at our fingertips, on both our authorized hands, as well as those who aren’t authorized. Thanks to regulations and standards such as PCI / DSS,the battle to remain compliant and trustworthy with our customer and user’s data is greatly enforced.
PCI. (2013, February). Information Supplement: PCI DSS Cloud Computing Guidelines. Retrieved October 12, 2020, from https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf.
PCI. (n.d.). PCI SECURITY. Retrieved October 12, 2020, from https://www.pcisecuritystandards.org/pci_security/.