More Thoughts on PCI Compliance in the Cloud
In a previous posting, we discussed the guidelines regarding PCI compliance in the cloud that the PCI Security Standards Council recently released. Here, we offer additional thoughts on what this might mean for hotels and other processors of customers’ private data.
As a starting point, the guidance confirms that the PCI-DSS applies to all organizations that hold, process or exchange credit or debit card information. Responsibility for security of cardholder data in a cloud environment is shared, for example, between a hotel and cloud vendor; however, the hotel remains accountable for ensuring that its cardholder data is properly secured by itself and the cloud vendor according to applicable PCI DSS requirements.
PCI compliance for hotels requires hotels to understand their responsibilities under the PCI-DSS guidelines. When card data is stored, processed or transmitted in the cloud, PCI DSS compliance will include validation of both the cloud vendor’s infrastructure and the hotel’s use of it. Before adopting a cloud service, hotels should first verify that the cloud vendor has validated PCI-DSS compliance. In addition, hotels should document everything with the cloud provider in written agreements and should request written assurances that PCI-DSS compliant security controls will be in place and maintained. Further, hotels should review the service and written agreements periodically to identify if anything has changed.
Venza Group: Since 2008, the Venza Group® partners with the hospitality industry as its premier provider of custom learning solutions. Through PEAK™, the Venza Group also offers off-the-shelf courses on compliance and workforce effectiveness … especially crafted for hoteliers.
Link: https://www.pcisecuritystandards.org/pdfs/pr_130205_Cloud_SIG.pdf.