There has been a lot of talk lately about whether Cloud Computing would help or hurt PCI security. In my day job I speak to lots of merchants (most of them smaller) about complying with PCI regulations. For the most part well over 90% of these merchants are low risk, don’t store credit card data and just need to fill out the appropriate self-assessment questionnaire. Another 5 to 8% of these merchants either do business over the web or their POS system or payment gateway are connected via the Internet. These merchants in addition to filing the SAQ also must conduct ASV external scans (such as those offered by Alert Logic) at least quarterly.
There are a very small number of merchants though who are actually storing credit card data. Some do it because they have to, others because they always have and are resistant to change. These are the problem children of the PCI generation. They also represent the biggest threat of course. I have spoken to about 6 or 12 of these types of merchants over the last month. In about half of the cases we have been able to help them move “out of scope” in terms of PCI.
These merchants have moved out of scope by moving to the cloud. By off loading the storage of their credit card environments to a 3 rd party (Quickbooks online, Authorize.net or other 3rd party), they have gotten out of the business of storing credit card data themselves. This is a horse of an entirely different color for these merchants.
In regard to the 3rd party provider who is now storing the credit card data, they are generally much better situated to store it. They have the resources and know how to do it much safer than a small merchant. Another reason why when you can give up control, the cloud is a better solution.
So for these problem child merchants who were storing credit cards, moving the credit cards up to a 3rd party in the cloud absolutely, positively helps PCI Compliance and makes our job easier.
