GBAF Logo
Men's skincare products including moisturizers and creams - Global Banking & Finance Review
An overview of men's skincare products, highlighting key items like moisturizers and creams, reflecting the growth of the $13 Bn market by 2029. This image relates to the increasing demand for men's personal care in the finance and banking industry.
Top Stories

CipherCloud Unveils Steps to Achieve PCI Cloud Data Security Standard

Published by Gbaf News

Posted on February 13, 2013

4 min read

· Last updated: September 12, 2024

Add as preferred source on Google
fintech Digital banking compliance fintech

On the heels of PCI Council’s guidance for cloud and SaaS, CipherCloud provides in-depth strategy for protecting data in the cloud

CipherCloud Outlines Five Steps for PCI Compliance

CipherCloud, the leader in cloud information protection, has announced five steps for achieving PCI DSS compliance in the cloud to complement the PCI Council’s newly released cloud computing guidelines for organisations that store, process or transmit cardholder information in any cloud environment including SaaS, PaaS, IaaS and hosted email. The Council’s 52-page guidance calls for shared responsibility between cloud providers and cloud customers, including banks, merchants, service providers and payment processors to ensure that cardholder data is protected and PCI-DSS compliant.

PCI Cloud Guidelines Define Shared Responsibilities

While the document advocates shared responsibility between cloud providers and customers, the recommendation lays out new security responsibilities for cloud customers to protect their cardholder data according to applicable PCI DSS requirements. It also specifies that customers need to understand and have a level of oversight and visibility into their cloud provider’s security functions.

In the absence of these new guidelines, cloud customers assumed that the cloud provider satisfied many of the PCI requirements and they started to rely on cloud providers to take care of most of the PCI requirements. This new guidance is an eye-opener as it clarifies that cloud customers cannot shift responsibility to their cloud providers. Cloud customers are still responsible for ensuring their cardholder data is secure.

Key Decisions for Cloud Customers Under New Guidelines

Under the new guidelines, cloud customers who have been hesitant to go to the cloud now have clear guidance and choices: encrypt their cardholder data before sending it to cloud to minimise PCI scope, send their unencrypted cardholder data to the cloud and thus extend the PCI DSS scope to the cloud service, or refrain from sending their cardholder data to the cloud.

CipherCloud's Recommendations for Cardholder Data Security

CipherCloud’s recommendations for safeguarding cardholder and payment information and complying with the new PCI Cloud security guidelines include:
• Cloud Encryption of Cardholder Data: As noted by the PCI Council, “ensuring that clear-text account data is never accessible in the cloud may also assist to reduce the number of PCI DSS requirements applicable to the cloud environment.” This can be achieved by applying the CipherCloud gateway to encrypt sensitive pieces of cardholder information transparently in real time before they are sent to the cloud using operations-preserving encryption and tokenisation that do not impact the usability of the applications.
• Customers Retain Encryption Key Control: With CipherCloud’s approach encryption key management remains in the hands of the cloud customers. This contrasts sharply with other approaches in which the cloud provider retains control over the keys that can decrypt cardholder information. This ensures that payment information remains secure even if a cloud provider is compromised.
• Key Management: The keys need to be stored and managed independently from the encrypted data. At a minimum they should be maintained in a completely separate network segment, and preferably not accessible by the cloud provider.
• Full Data Sovereignty and Legal Compliance: Due to the dynamic nature of cloud operations, it may not be known in which country the information is actually stored and whether it’s accessible by foreign authorities and system administrators. This may result in concerns over data ownership and potential conflicts between domestic or international jurisdictional and regulatory requirements. By encrypting the data before sending it to the cloud, cloud customers using CipherCloudcan be assured that no information will be shared, even with law enforcement, without their direct involvement.
• Restrict Business Card Holder Data On Need-to-Know Basis: By exclusively controlling the decryption keys, the data owner can be confident that all data access is controlled by their own authorised personnel and will comply with the organisation’s internal need-to-know policies. No one at the cloud provider can access the information.

“These new PCI Cloud guidelines are very helpful,” said Pravin Kothari, founder and CEO of CipherCloud. “They provide very important clarifications to cloud customers as to their responsibility for protecting their cardholder data in the cloud, as well as defining clear steps for customers that have been hesitant to adopt the cloud on how to do so.”

CipherCloud's Proven Track Record in Cloud Protection

CipherCloud has more than 1.2 million users and protects more than 100 million customer records around the globe. CipherCloud’s 256-bit encryption gateways protect data in the cloud and put control of the encryption keys in the hands of the customer, ensuring that organisations retain control over data in transit and at-rest in the cloud.

 

 

 

Key Takeaways

  • CipherCloud outlines five actionable steps to help organizations achieve PCI DSS compliance in the cloud.
  • Customers retain exclusive control of encryption keys to ensure security even if cloud providers are breached.
  • Encrypting cardholder data before cloud upload reduces PCI scope and preserves application usability.
  • CipherCloud’s strategy reinforces data sovereignty, key segmentation, and oversight of cloud provider security functions.

References

Frequently Asked Questions

What are the five steps CipherCloud recommends for PCI DSS in the cloud?
They include encrypting cardholder data before cloud upload, retaining encryption key control, segregating key management, ensuring data sovereignty and legal compliance, and restricting access on a need‑to‑know basis.
How does CipherCloud reduce PCI DSS scope?
By encrypting data so clear‑text account data never reaches the cloud, reducing the number of applicable PCI DSS requirements for the cloud environment.
Who controls the encryption keys in CipherCloud’s approach?
The cloud customer exclusively controls the encryption keys, unlike models where providers retain key access.
How does CipherCloud address data sovereignty concerns?
By encrypting data before cloud transfer, ensuring that even if stored anywhere, no clear‑text is accessible without the customer’s involvement.

Tags

Related Articles

Image for Why Curiosity Is the Hidden Engine Behind Every Big Idea

Why Curiosity Is the Hidden Engine Behind Every Big Idea

Image for The Silent Shift Reshaping Global Finance

The Silent Shift Reshaping Global Finance

Image for The Invisible Forces Rewiring Global Finance—And Why the Shift Is Already Underway

The Invisible Forces Rewiring Global Finance—And Why the Shift Is Already Underway

Image for The Global Finance Reset No One Is Talking About—But Everyone Is Feeling

The Global Finance Reset No One Is Talking About—But Everyone Is Feeling

Image for The Financial Trend Hiding in Plain Sight—Why Everything Feels the Same, But Isn’t

The Financial Trend Hiding in Plain Sight—Why Everything Feels the Same, But Isn’t

Image for The Financial System’s New Rhythm—Why Change Is Happening Without Disruption

The Financial System’s New Rhythm—Why Change Is Happening Without Disruption

More from Top Stories

Explore more articles in the Top Stories category

Image for The Subtle Forces Reshaping Global Finance—And Why They Matter Now
The Subtle Forces Reshaping Global Finance—And Why They Matter Now
Image for The Quiet Realignment of Global Finance—Why the System Is Changing Without a Shock
The Quiet Realignment of Global Finance—Why the System Is Changing Without a Shock
Image for The Global Financial Shift That Feels Small—But Is Changing Everything
The Global Financial Shift That Feels Small—But Is Changing Everything
Image for The Financial System’s Invisible Pivot—Why the Biggest Changes Don’t Make Headlines
The Financial System’s Invisible Pivot—Why the Biggest Changes Don’t Make Headlines
Image for Why Global Supply Chains Are Becoming Smarter, Faster, and More Resilient
Why Global Supply Chains Are Becoming Smarter, Faster, and More Resilient
Image for Why Workforce Agility Is Becoming Critical in the Future of Work
Why Workforce Agility Is Becoming Critical in the Future of Work
Image for Why Global Trade Is Entering a New Era of Resilience and Reinvention
Why Global Trade Is Entering a New Era of Resilience and Reinvention
Image for Why Cybersecurity Is Becoming a Core Business Priority in the Digital Economy
Why Cybersecurity Is Becoming a Core Business Priority in the Digital Economy
Image for Why Data-Driven Decision-Making Is Becoming the Backbone of Modern Business Strategy
Why Data-Driven Decision-Making Is Becoming the Backbone of Modern Business Strategy
Image for How Real-Time Data Is Redefining Decision-Making in the Digital Economy
How Real-Time Data Is Redefining Decision-Making in the Digital Economy
Image for Why Cash Flow Visibility Is Becoming the Most Critical Metric for Business Survival
Why Cash Flow Visibility Is Becoming the Most Critical Metric for Business Survival
Image for How Digital Payments Are Redefining the Speed and Scale of Global Commerce
How Digital Payments Are Redefining the Speed and Scale of Global Commerce
View All Top Stories Posts