Credit Cards Security in the Cloud – New Clarity?


Given all the cyber attacks of late the security of credit card information is more critical than ever, and with a greater use cloud computing the Payment Card Industry (PCI) Security Standards Council recently issued Cloud Computing Guidelines.

PCI initially established its Data Security Standards (DSS) which among other things “provides an actionable framework for developing a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents.” PCI DSS is not law, but rather a group of IT standards created in 2006 by “the five founding global payment brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa.” PCI “enforcement of compliance with the PCI DSS and determination of any non-compliance penalties are carried out by the individual payment brands.”

However now that more cloud service providers (CSP) take payment card payments, the PCI concluded that it was time to create its Cloud Computing Guidelines which established around four different cloud models – private, community, public, and hybrid. Some of the PCI DSS challenges in the cloud include following issues:

  • Clients may have little or no visibility into the CSP’s underlying infrastructure and the related security controls.
  • Clients may have limited or no oversight or control over cardholder data storage. Organizations might not know where cardholder data is physically stored, or the location(s) can regularly change. For redundancy or high availability reasons, data could be stored in multiple locations at any given time.
  • It can be challenging to verify who has access to cardholder data processed, transmitted, or stored in the cloud environment.
  • Many large providers might not support right-to-audit for their clients.

Assuming cyber attacks it is all the more important that cloud providers adhere to the new PCI DSS standards.

The publications contained in this site do not constitute legal advice. Legal advice can only be given with knowledge of the client's specific facts. By putting these publications on our website we do not intend to create a lawyer-client relationship with the user. Materials may not reflect the most current legal developments, verdicts or settlements. This information should in no way be taken as an indication of future results.

Search Tips:

You may use the wildcard symbol (*) as a root expander.  A search for "anti*" will find not only "anti", but also "anti-trust", "antique", etc.

Entering two terms together in a search field will behave as though an "OR" is being used.  For example, entering "Antique Motorcars" as a Client Name search will find results with either word in the Client Name.


AND and OR may be used in a search.  Note: they must be capitalized, e.g., "Project AND Finance." 

The + and - sign operators may be used.  The + sign indicates that the term immediately following is required, while the - sign indicates to omit results that contain that term. E.g., "+real -estate" says results must have "real" but not "estate".

To perform an exact phrase search, surround your search phrase with quotation marks.  For example, "Project Finance".

Searches are not case sensitive.

back to top