Did you know that you’re responsible for protecting all your customers’ card data and payment details? Unless you’re able to prove you handle payments and store data in a way that’s PCI DSS compliant (Payment Card Industry Data Security Standard), the payment card companies won’t underwrite any fraudulent losses. That can be an expensive mistake!
Last month, the PCI Security Standards Council (PCI SSC), offered guidance for securing payment card data in cloud environments. More than 100 global organisations, including a range of technology vendors, came together to help businesses identify and address the security challenges for different cloud architecture and models, and understand their PCI DSS responsibilities when implementing these solutions.
So what should you look for when selecting a cloud PCI vendor?
It's not enough just to get their certificate. As the report recommends, companies that have undergone PCI DSS compliance assessment and validation, will be able to provide clients with proof of compliance documentation, such as the Attestation of Compliance (AOC) and appliance sections from the Report on Compliance (ROC), including the date of assessment. They should also be willing to share evidence of system components and services that were excluded from the assessment.
Specific due-diligence processes and goals will vary for each organisation, but typically, it is recommended that you look for the following:
- A history of sound work practices and ethical behaviour
- Potential risks with the provider that may impact your business
- Areas of the service that need to be clarified and included in the service agreement
- Assurance that the provider is compatible with your business image and risk profile
If you are taking credit card orders, or if your customer service agents are exposed to your customers' credit card information, it’s so important to take a hard look at your contact centre vendor. They really do need to be a PSI DSS tier 1 validated service provider, as that means they have been externally audited rather than self-certified. After all, do you really want to trust your customers’ card details with someone who has marked their own homework?