Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

CipherCloud Unveils Steps to Achieve PCI Cloud Data Security Standard

On the heels of PCI Council’s guidance for cloud and SaaS, CipherCloud provides in-depth strategy for protecting data in the cloud

CipherCloud, the leader in cloud information protection, has announced five steps for achieving PCI DSS compliance in the cloud to complement the PCI Council’s newly released cloud computing guidelines for organisations that store, process or transmit cardholder information in any cloud environment including SaaS, PaaS, IaaS and hosted email. The Council’s 52-page guidance calls for shared responsibility between cloud providers and cloud customers, including banks, merchants, service providers and payment processors to ensure that cardholder data is protected and PCI-DSS compliant.

While the document advocates shared responsibility between cloud providers and customers, the recommendation lays out new security responsibilities for cloud customers to protect their cardholder data according to applicable PCI DSS requirements. It also specifies that customers need to understand and have a level of oversight and visibility into their cloud provider’s security functions.

In the absence of these new guidelines, cloud customers assumed that the cloud provider satisfied many of the PCI requirements and they started to rely on cloud providers to take care of most of the PCI requirements. This new guidance is an eye-opener as it clarifies that cloud customers cannot shift responsibility to their cloud providers. Cloud customers are still responsible for ensuring their cardholder data is secure.

Under the new guidelines, cloud customers who have been hesitant to go to the cloud now have clear guidance and choices: encrypt their cardholder data before sending it to cloud to minimise PCI scope, send their unencrypted cardholder data to the cloud and thus extend the PCI DSS scope to the cloud service, or refrain from sending their cardholder data to the cloud.

CipherCloud’s recommendations for safeguarding cardholder and payment information and complying with the new PCI Cloud security guidelines include:
• Cloud Encryption of Cardholder Data: As noted by the PCI Council, “ensuring that clear-text account data is never accessible in the cloud may also assist to reduce the number of PCI DSS requirements applicable to the cloud environment.” This can be achieved by applying the CipherCloud gateway to encrypt sensitive pieces of cardholder information transparently in real time before they are sent to the cloud using operations-preserving encryption and tokenisation that do not impact the usability of the applications.
• Customers Retain Encryption Key Control: With CipherCloud’s approach encryption key management remains in the hands of the cloud customers. This contrasts sharply with other approaches in which the cloud provider retains control over the keys that can decrypt cardholder information. This ensures that payment information remains secure even if a cloud provider is compromised.
• Key Management: The keys need to be stored and managed independently from the encrypted data. At a minimum they should be maintained in a completely separate network segment, and preferably not accessible by the cloud provider.
• Full Data Sovereignty and Legal Compliance: Due to the dynamic nature of cloud operations, it may not be known in which country the information is actually stored and whether it’s accessible by foreign authorities and system administrators. This may result in concerns over data ownership and potential conflicts between domestic or international jurisdictional and regulatory requirements. By encrypting the data before sending it to the cloud, cloud customers using CipherCloudcan be assured that no information will be shared, even with law enforcement, without their direct involvement.
• Restrict Business Card Holder Data On Need-to-Know Basis: By exclusively controlling the decryption keys, the data owner can be confident that all data access is controlled by their own authorised personnel and will comply with the organisation’s internal need-to-know policies. No one at the cloud provider can access the information.

“These new PCI Cloud guidelines are very helpful,” said Pravin Kothari, founder and CEO of CipherCloud. “They provide very important clarifications to cloud customers as to their responsibility for protecting their cardholder data in the cloud, as well as defining clear steps for customers that have been hesitant to adopt the cloud on how to do so.”

CipherCloud has more than 1.2 million users and protects more than 100 million customer records around the globe. CipherCloud’s 256-bit encryption gateways protect data in the cloud and put control of the encryption keys in the hands of the customer, ensuring that organisations retain control over data in transit and at-rest in the cloud.