In an effort to provide e-commerce merchants with"practical guidance on ways to safeguard payment data and ensure the security of online shoppers with cloud-based ecommerce technology, the Payment Card Industry (PCI) Security Standards Council has released a new information supplement.
Titled "PCI DSS Cloud Computing Guidelines", the document suggests detailed methods to protect cardholder data and also defines whose responsibility it is to implement these safeguards, providing relevant advice for merchants in both the B2C and B2B ecommerce sectors. Though the guidance advocates merchants seek out an experienced third-party B2C or B2B ecommerce solutions provider for support, the council made it clear that retailers should not simply pass off security obligations to this partner.
"Cloud security is a shared responsibility between the cloud service provider (CSP) and its clients," said the report. "If payment card data is stored, processed or transmitted in a cloud environment, PCI DSS will apply to that environment, and will typically involve validation of both the CSP's infrastructure and the client's usage of that environment."
Many experts supported the council's position on security responsibilities, as it requires merchants to stay alert and well-informed with regard to security standards and practices.
In comments to American Banker, Pravin Kothari, the executive of one cloud data encryption service, called the guidance an "eye opener" for merchants who might otherwise have blamed service providers for gaps in security. "The client is still responsible for ensuring the cardholder data is secure," Kothari said.
Ultimately, the guidance suggests a strong partnership between B2B merchants and ecommerce solution providers is critical to protect the security of purchasers in this sphere. Third-party servicers can offer the education and support merchants need to understand their responsibilities under the PCI Data Security Standard (DSS), and by sharing obligations and knowledge, these businesses may be less at risk for non-compliance.