Miller continued, "The incidence of malicious attacks on public cloud services is on the rise. Credit card information, plus the identifiable data that is used to verify that credit card is both a valuable and attractive target. If you can achieve the full identity of the card holder or thousands of card holders in an attack, the hacker has increased the profitability level of the attack. This is a valid security concern for those organisations that rely on credit card transactions to successfully stay in business or on PCI protocols when they are considering a move to a public cloud.
Pure hacking offers a few recommendations for achieving PCI compliance in a public cloud:
- Check that your cloud provider actually knows how to spell PCI. Beyond that, make sure that the agreements spell out full disclosure; if they vendor knows or suspects they are not complaint, they must tell you.
- Confirm that the cloud provider is provably PCI complaint. Ensure that every part of their system is included in your regular audit
- Extend your PCI compliance budget to include the extra requirements of testing the cloud provider and ensure they receive sufficient focus
- Be aware that having made the decision to move card processing to the cloud, reversing the decision will be costly; in other words, double and triple check your decision to go to the cloud.