How to Achieve PCI DSS Compliance for Your Site in the Cloud

“International Retailer Hit by E-Commerce Credit Card Data Breach, CEO steps down.”

It’s the newspaper headline that no merchant ever wants to be a part of. Credit card data security breaches erode customer trust, carry costly fines and penalties, open legal liability and damage a merchant’s brand. The threat landscape is clear: criminal organizations employ highly skilled hackers to target merchants and steal credit card data. What is an organization’s best defense to these threats? The answer is: ensuring Payment Card Industry Data Security Standard (PCI DSS) security requirements are met to protect cardholder data along your entire payment lifecycle.

PCI DSS was created in 2004 to solve a challenge faced by the major card brands — American Express, Discover, JCB International, MasterCard and Visa Inc.: How do you unify a disparate set of individual card
brand policies for cardholder data security to help ensure that merchants, card brands, and consumers alike are protected from fraud? The answer was PCI DSS. Major card brands came together and formed the PCI Security Standards Council to administer this global standard on their behalf. Over the years, the PCI Council has made incremental changes to the original standard to address the evolving threat landscape. However, the standard is still rooted in the original idea that merchants and service providers are operating predominantly on a traditional client/server technology stack interacting with only one or two service providers.

Fast Forward to 2016. The days of your cardholder data environment sitting in your corporate server farm managed by your system administrator are quickly coming to an end. Business leaders are asking themselves, Why am I in the business of managing technology infrastructure, when my actual business is selling designer leather shoes? Merchants and service providers are rapidly adopting cloud-computing services to leverage the efficiency, cost savings, flexibility, and enhanced cardholder data security found through technology service providers.

The use of numerous technology service providers presents a big challenge with PCI DSS in the cloud. How do organizations navigate the 250+ requirements for PCI DSS that they are ultimately responsible for complying with when they are outsourcing most of these responsibilities to third party providers?

This white paper is designed to provide organizations with insight and guidance into how they can successfully navigate the new challenges of PCI DSS in the cloud and achieve PCI DSS compliance.