Cloud Storage No Silver Bullet For PCI Compliance

Compliance with credit card data security rules is a tricky business. Don't count on cloud storage solutions to make it any easier.I won't spend any time here talking about the finer points of complying with Payment Card Industry (PCI) compliance rules if your small business handles sensitive customer payment data. If your business falls into that category and you aren't already acquainted with PCI, stop reading this and get up to speed -- fast.

What I do want to discuss is a related question: Are cloud-based services, especially data storage services, PCI compliant?

That's a complex question, but it's pretty easy to cut it down to size. Here's the bottom line: Unless you're told otherwise, in writing, assume that the answer is no.

Some cloud service providers are completely up-front about the difficulty of ensuring PCI compliance in general-use environments. Consider this excerpt from a 2009 blog post discussing Amazon's EC2 solution:

"From a compliance and risk management perspective, we recommend that you do not store sensitive credit card payment information in our EC2/S3 system because it is not inherently PCI level 1 compliant," an Amazon representative told a customer in an exchange that was posted on an AWS web forum. A key issue is that PCI auditors are unable to inspect Amazons data centers.

In other cases, however, cloud providers may attempt to finesse the issue in order to keep potential customers engaged. Case in point: This tale involving a provider that boasted of being "the very first cloud hosting solution to enable an Internet merchant to pass PCI compliance scans."

Dig a little deeper, however, and it turned out that the provider ensured "compliance" by having the customer redirect its credit card processing functionality to a third party card processing provider!

Don't Miss: NEW! Storage How-To Center

Given the popularity of cloud-based storage service providers, especially in terms of backup and disaster recovery tasks, it's easy for a small business to go astray here. But PCI compliance is now a deadly serious business; a single misstep could cost your company its ability to accept credit cards.

For may small and midsized firms, that's tantamount to a death sentence. Tread carefully here. If a cloud provider cannot deliver, in crystal-clear terms, PCI compliance assurances, don't think twice about walking away. Ultimately, the penalties for non-compliance will fall on your shoulders, not the provider's.