Which has their heads in the clouds? Merchants and consumers who fear a lack of data security in a cloud-based payment system? Or the vendors selling the systems that assure they are safer than centralized security platforms?
Experts say cloud-based data security has a significant upside, but they suggest businesses and banks be wary and learn about the process. And they believe cloud-systems vendors who profess to have security answers could be correct, but they should demonstrate it in a way merchants and processors can easily grasp.
The Payment Card Industry Security Standards Council emphasized the growing need for a clearer understanding of being PCI-compliant in a cloud-based computing system–which uses multiple remote servers to store information instead of centralized ones—when it announced last month that a council special interest group would study the topic in 2012 to establish requirements or standards (
“Cloud-based computing is so new, we need to take a step back and analyze it because there are so many different areas to think about,” Bob Russo, PCI council general manager, tells PaymentsSource. “Once you get it secure in one place, another area of concern opens up.”
Besides analyzing cloud-based security to establish standards, the council’s special interest group intends to educate merchants about the benefits of cloud-based systems, Troy Leach, the council’s chief technology officer, tells PaymentsSource.
“When there is an absence of standards, it is easy to assume that a process is just too young,” Leach says. “But to trust the cloud, you have to know it adheres to some type of standards, not just PCI but other cloud-related organization standards as well.”
It starts with more knowledge and explanation of the cloud–how it works and what it offers.
Merchants considering a cloud-based system should ask vendors how to minimize cardholder data storage, reduce system access and simplify security management, Leach suggests.
“All of this is more challenging in the cloud because you have several ‘instances,’ or virtual servers, networks and applications, being created, and you have private clouds with limited access and public clouds with access for several divisions within a company,” Leach says.
Ultimately, the cloud-system vendor has to prove the data are secure to a third party, whether it is a processor or the financial institution issuing a credit card, Leach suggests.
Any contract with a cloud provider should include information about how much support it offers and whether the company would help with fraud investigations or disaster recovery in case of a breach, he adds.
With so many uncertainties, businesses and banks that could benefit from cloud computing for payment-system security remain reluctant to convert from hardware systems because they view the cloud as too complex, contends Misha Govshetyn, vice president of emerging products at Houston-based Alert Logic Inc. And merchants generally do not understand how cloud systems meet PCI Data Security Standard compliance, he says.
Eventually, the benefits of cloud computing will outweigh the uncertainties over the payment card regulatory environment, Govshetyn tells PaymentsSource.
Security challenges can unfold with cloud computing or traditional data-security systems, but cloud users have an advantage because the provider, instead of the issuer, processor or merchant, becomes responsible for managing the system, Govshetyn says.
“The security of the system would be in the hands of technicians with far more expertise than an employee assigned to security tasks on a traditional system,” he says.
Some of the mystery of cloud computing diminishes when users realize, in many cases, the flow of payment information is not much different from how it flows through an application developed for a merchant whose website is hosted by a third-party data center provider, Govshetyn suggests.
“Cloud computing, specifically infrastructure-as-a-service, essentially replaces the hosting provider,” he says.
Storage of the payment data depends largely on where the merchant would like it stored on the virtual servers in the cloud, Govshetyn explains. In some cases, the merchant would rely on a third party to handle the payment data, he adds.
Smaller banks and businesses tend to use cloud-computing services because they have fewer employees to check payment-security hardware and practices and less money to spend on security hardware and software, Johnathan Norman, Alert Logic director of security research, tells PaymentsSource.
Hackers are less likely to compromise cloud-based systems because security measures are more precisely configured, whereas corporate security systems can be “grossly misconfigured” with various security devices, making them far more likely to lose data, Norman suggests.
“Cloud providers have a mutual interest in keeping data secure because they know if there is one major breach, it could ruin the entire cloud industry,” Norman adds.
The need for more data-storage space while remaining PCI compliance represents a major reason businessowners consider cloud-based services because “hypervisors” replace what used to equate to buying extra servers and hardware-security modules for an internal network, says David Malcolm, director of data center operations at Computer Services Inc., a Paducah, Ky.-based payment processing and fraud protection technology provider.
“Hypervisor” describes how cloud providers install underlying applications to a virtual server to set up “segmented virtual servers” that establish logical separation of data, Malcolm tells PaymentsSource.
“Virtualization is an excellent way to segment data, and an understanding of it is important for those researching the new trends and determining what they can afford,” Malcolm says.
Ulff Mattson, chief technology officer at Protegrity Corp., reminds merchants that even if a cloud provider is PCI compliant, it does not mean the merchant is compliant. The Stamford, Conn.-based company provides software for disk and database encryption and tokenization.
“You still have to deploy a PCI-compliant application or service, and anything on the cloud is still within your assessment scope,” Mattson tells PaymentsSource.
In addition, some cloud-service providers may be PCI certified, but others may not be, Mattson warns. “PCI certification of the cloud provider really does eliminate any doubts you are allowed to deploy an in-scope PCI system on the cloud, but your organization’s assessment scope isn’t necessarily reduced,” he adds.
Merchants must ensure primary account number data stored in the cloud are encrypted in accordance with PCI requirements, Mattson says. “The cloud provider doesn’t do this for the merchant,” he adds. “The merchant must implement this himself, including key management, rotation and logging.”
Security in cloud computing continues to develop because each bank or business merchant using a cloud-based system likely would customize it to accommodate specific services, Govshetyn believes.
Regardless of whether a merchant or financial institution chooses cloud security or standard in-house hardware-driven systems, PCI compliance remains a key, he says.
In a cloud security system, providers would install advanced encryption or tokenization methods as software applications, or agents, on top of the different layers of a virtual environment, Govshetyn explains. But the security of “data at rest” remains a new area for cloud-based systems because few vendors are providing encryption functions for the cloud, though several startup companies are addressing that need, he says.
Security for cloud computing can be much less expensive than traditional systems because it operates on demand instead of through hardware operating continuously for long periods of time, Govshetyn suggests. In addition, cloud computing does not require purchasing additional hardware to layer security.
The traditional hardware-driven systems and industry strategy of “defense and depth” causes banks and retailers to purchase too many security products, Govshetyn contends. Hackers penetrate transaction systems or online banking accounts because so many security products are too difficult to incorporate and monitor, he adds.
“The security industry needs something that is easy to use, but security people do not value simplicity, they love complexity,” Govshetyn says. “The security world needs a Steve Jobs, and we don’t have one right now.”
PCI’s Russo sums up the next phase in cloud computing by saying, “How cloudy is cloud computing? I think there is still some cloudy and stormy weather ahead on it.”
If the potential for stormy weather exists, it appears banks and merchants can do much to brighten the skies simply by learning more about the virtual “clouds.”
What do you think about this? Send us your feedback.
