“The Cloud” is probably one of the most misunderstood aspects of online computing, but also one that has changed significantly as its use has expanded. For example, the Payment Card Industry Security Standards Council (PCI SSC) recently issued updated language on payment cards and cloud computing services. In 2013, when they issued Version 2 of their recommendations, the document was 52 pages long. Now, five years later, Version 3 has swelled to 83 pages.
Payment card security
With all of the news of hacks and data breaches, it should come as no surprise that payment card security is coming under greater scrutiny. It isn’t just the loss of data that is dangerous to a company. The loss of credibility and customer support is dangerous as when Target saw its profits drop 46 percent after a credit card data breach. Companies choosing to become PCI compliant help to shore up that credibility and consumer trust, while also reducing the chance they will be fined if there is a breach.
So what exactly is in the new PCI document and what are these new guidelines?
First, the guidelines have added two entirely new sections. One mandates that companies notify customers about data breaches in “clear and unambiguous language, taking into consideration the need to comply with local and global regulatory/breach laws, data privacy, security incident management and breach notification requirements.” This need to keep the public informed comes on the heels of several high profile data breaches that went unreported for some time, including the Equifax hack.
Vulnerability management
Another new addition to the document involves vulnerability management, including details such as how to test web applications and penetration testing. It also deals with information on internal networks and new technology such as the Internet of Things. These new technologies will have a major long-term effect on cloud computing and security in the coming years.
For a closer look at the revised recommendations, view PCI SSC Cloud Computing Guidelines.