On January 31, the Payment Card Industry Security Standards Council issued its new set of card data security guidelines for merchants and payment providers. The supplemental document addresses increasing risks to e-commerce environments and how online businesses should work with third-party providers, such as PCI compliant hosting vendors.
Bob Russo, general manager of the PCI Security Standards Council, told bankinfosecurity.com that the new guidelines should complement, not replace, other PCI documents, such as the guidelines for ongoing risk assessments and the PCI Qualified Integrators and Resellers Programs.
The additional layers of documentation underscore the importance and potential complications surrounding PCI compliance. Failure to follow the guidelines can be costly. A breach of cardholder data can result in fines of $50 to $90 per card, a suspension of credit card acceptance, negative publicity, loss of customer trust and possible civil litigation.
Online Trust Alliance executive director and president Craig Spiezle gave his top six tips to help small and mid-sized businesses protect customer data in a recent interview with Information Week. All six are critical (read them here), but one strikes a chord most suitable for this space:
4. Include Customer Privacy In Cloud Vendor Negotiations.
As (small and mid-sized businesses) adopt cloud applications in greater numbers, Spiezle believes customer data protection needs to be a part of contracts and negotiations. The standard language in many such agreements might not be enough, he said. One example: “We adhere to best practices to protect your data,” or some version of that same claim. The problem, according to Spiezle: “That may not be good enough for your business, and you may really want to pressure [them on] that.” Another example: A cloud vendor’s general promise to notify you in the event of loss of sensitive information. The problem: “They may not really know what’s sensitive to your customers or your markets,” Spiezle said.
As a result, Spiezle encourages (small and mid-sized businesses) to ask cloud providers to include addendums to the standard agreement that cover their specific needs for protecting customer data and privacy. Don’t expect a warm response, though. “Vendors don’t want to do one-off deals.” Nonetheless, it’s an important area to address. In the event of a data-related incident, your customers won’t want to hear: “It’s the cloud’s fault.”
Online Tech is among the data center operators and cloud providers that have stepped in to address the challenge of PCI DSS (Payment Card Industry Data Security Standards) compliance with turnkey PCI compliant cloud servers. Online Tech has 12 general guidelines – which break into 288 separate requirements – that are addressed in an annual PCI audit.
Online Tech’s PCI compliant cloud solutions deliver a significant portion of the requirements straight out of the box. But, to Spiezle’s point, Online Tech also recognizes that achieving 100 percent compliance requires shared responsibilities between the cloud hosting provider and contracting client. Some facets of compliance depend on one or the other, while some require attention from both.