04-24-13 | Blog Post
Only a week left until the 2013 ETA (Electronic Transactions Association) Annual Meeting & Expo in New Orleans. This conference is going to be held at the New Orleans Convention Center from April 30-May 2, and is expected to have over 3,000 industry executives to learn from and collaborate with.
Compliance is one of the many subjects being highlighted at the expo. Compliance Day will be held on April 30th, and will have over a dozen different speakers, both on panels and running sessions devoted to compliance in the payments industry.
One of these speakers is Randy Gainer, a partner with Davis Wright Tremaine LLP, who I had the pleasure of speaking with in regards to his session on challenges associated with cloud-based mobile solutions. Having focused on data breach litigation for over 9 years, and with over 20 years working for Davis Wright Tremaine LLP in the IT sphere, he has great insight into key areas of prevention and risk throughout the payments industry.
Gainer explained that there is a shift in focus when moving to the cloud. Instead of taking care of an infrastructure in-house, businesses are increasingly relying on outsourced cloud service providers (CSP) for the security of that core infrastructure. This can be a huge plus for businesses that no longer have to deal with the challenges of creating and maintaining that foundation, including merchants and mobile payment providers.
However, Gainer attests that it doesn’t remove security from the considerations of the company. Instead, the focus should change to securing the applications that will be placed on the cloud infrastructure, after ensuring that the CSP meets PCI DSS compliance for their part in the puzzle.
Outsourcing to a CSP means finding the right provider to partner with. A good CSP should fundamentally have at least two independent audit reports available for your review. The first is PCI DSS Level 1 report on compliance, prepared by an independent, qualified QSA (Qualified Security Assessor).
The second audit report is the SOC 2 Type II (not to be confused with SOC 1 or SSAE 16) developed by the AICPA (American Institute of Certified Public Accountants) specifically for technology vendors handling sensitive information. (Gainer notes that it’s important for a merchant to perform their due diligence on the CPA as well).
With many businesses not really sure how best to assess cloud security, Gainer explains that companies have, in the past, started small. That involved putting less critical data in a cloud environment first, where security is not as large of a concern. That doesn’t mean that there aren’t any secure cloud providers out there. “There are a subset of cloud vendors who have stepped up, and are securing sensitive data in the cloud,” Gainer mentions.
So, what can we expect in the future? Gainer says that we’re still in the early days of PCI compliant cloud adoption. But there is promise. The supplements that came out earlier this year by the PCI SSC push an important point: you can meet PCI DSS compliance with a cloud service provider.
“It’s encouraging to me – it helped rebut the myth that it just can’t be done in the cloud. It’s a useful change to the [PCI] SSC],” stated Gainer, who cites the apprehension associated with perceived cloud insecurities. “It has the potential to be as good, and probably better than in-house platforms.”
If you’re going to be at the ETA Meeting & Expo next week, Randy Gainer’s talk, Legal and Technical Security Challenges for Cloud-Based Mobile Payment Solutions, looks to be very informative. Any merchants who need a compliant environment and are already working or plan to partner with a CSP do not want to miss this learning opportunity. He will be speaking 3:15-4pm on Tuesday April 30th.
Also, don’t forget to come say hello to Online Tech in booth #1237 between sessions.
Randy Gainer, Davis Wright Tremaine LLP
Randy Gainer litigates information technology, intellectual property, communications, and media cases as Partner for Davis Wright Tremaine LLP. He also advises business leaders regarding steps they need to take to comply with data security laws and industry standards, privacy requirements, and data breach notification statutes, and assists businesses conducting information system risk assessments.
Please note that Randy Gainer has no business relationship with Online Tech other than the generous sharing of his domain expertise.
Find out how to handle mobile app and device security in by reading our Mobile Security white paper. This white paper explores approaches to mobile security from risk assessment (what data are truly at risk), enterprise architecture (protect the data before the devices), policies and technologies, and concludes with an example of a mobile security architecture designed and implemented within a hospital environment in which both enabling caregivers and protecting privacy, integrity, and confidentiality are paramount.
Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?
Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.