PCI Compliance Comes To Cloud

Posted by Chris Scott

Cloud technologies and compliance can often make for uncomfortable bedfellows. Aside from the intricate nuances of Cloud technology, service providers are not known for their transparency when it comes to thorny topics such as data sovereignty, security models, and the roles and responsibilities assumed by members of the supply chain.

Nowhere has this become more apparent than with the Payment Card Industry Data Security Standard (PCI DSS). Established in 2006 to protect cardholder data, today PCI DSS is on its third version and has 12 requirements over 200 sub-requirements and more than 400 testing procedures. Understandably, it has been viewed as a necessary evil; the complexity it brings means many firms choose to outsource their PCI requirement.

The arrival of PCI v3.0 at the start of 2015 however, has made it a matter of supply chain management. It puts responsibility for compliance on the business itself – irrespective of whether it’s working with a third-party specialist. Any firm handling payment card data now needs a crystal clear understanding of who is accountable for what in the supplier chain and how remits are defined.

We’ve warned on numerous occasions that there are service providers out there claiming ‘fully compliant Hosting Partner’ status when in reality they’re offering a PCI DSS aligned environment. Firms failing to perform due diligence on an outsourced partner can find themselves lumbered with only the basic components required and facing a hefty bill to attain and maintain compliance.

Worse still, failure to comply carries the threat of fines of up to £100 per card affected by a breach, and higher transaction costs during the time it takes (typically two years) to regain compliant status.

As one of the UK’s few designated Visa-approved Managed Services Hosting Providers, The Bunker has been helping forward-thinking firms to attain and maintain PCI compliance for several years. Now however, we’re excited to reaffirm our position as a trusted compliance partner with the launch the UK’s first PCI-compliant Cloud service.

Breaking new ground

Historically, it has proved difficult to deploy a PCI-compliant environment onto multi-tenanted cloud infrastructure due to the constraints of the PCI DSS standard. However, our experts have used their decades of experience in processes, server builds, and network design to ensure we can now validate the controls we have in place to satisfy a Qualified Security Assessor (QSA). What’s more, we’re happy to invite auditors and technical experts to ‘look under the hood’ and see how we’ve achieved it.

In actual fact, we’ve been working for several years with some of the most prestigious organisations in the payment cycle, and have established relationships with leading technical partners with clear design goals to create a Cloud infrastructure meeting all the requirements from the ground up. At the same time, the maturing of virtualised technologies within the market and the advent of PCI v3.0 has made our compliant Cloud solution possible.

We also have Security Incident and Event Management services that provide a full audit trail of everything our technical teams do when accessing an environment. All log data is transferred securely to an independent and accredited security consultancy where they are monitored continually in real time. All log data is kept totally secure (we cannot access it), but available for forensics should an incident occur. This is not a service the majority of Cloud Service Providers offer.

But then again, The Bunker is not your run-of-the mill CSP. With our ex-military and fully owned UK data centres being highly available and secure by design, our Cloud infrastructure and heritage in Open Source and Information Security means we have what it takes to meet the most exacting mandates. At the same time, our service-led culture, accredited expertise and philosophy that security should be a business enabler means we allow our customers to innovate in a controlled manner.

Our PCI Cloud allows customers to run their applications in a fully compliant PCI environment, but take advantage of all the benefits that come with a multi-tenanted Cloud service – flexibility, scalability and cost efficiency, delivered under the utility consumption model.

Built on IBM and Egenera software technologies, The Bunker’s solution combines all of the necessary services – such as log management, event management and change control processes – to not only assure compliance, but provide a source of business advantage through increased efficiency and the economies of scale delivered by our inherently secure and high availability Cloud infrastructure.

Still not convinced that compliance can be achieved on a shared infrastructure? Book a tour of The Bunker today with one of our PCI compliance experts and we’ll show you how it’s done.