How does it work?
Outsourcing operations to a third party means that you share responsibility for reaching the requirements in PCI DSS. Your hosting provider fulfills some requirements, and your company has to fulfill others. The PCI DSS requirements focus on 3 areas: technology, processes and people.
Your provider provides the cloud infrastructure and is responsible for most of the technology-related requirements. You are responsible for the requirements related to people and processes.
When using a third party PCI DSS certified service or hosting platform, your company will have to submit a responsibility matrix to the QSA. The responsibility matrix details who is responsible for what PCI requirements.
What assets do you need from potential service providers?
As you research and evaluate the different potential cloud providers, there are 2 critical assets you will need to obtain from the provider: a document called an AOC and the Responsibility Matrix.
Attestation of Compliance
The AOC (Attestation for Compliance) is a form that shows the results of the PCI DSS audit, signed by both the company and the PCI QSA. An AOC is the certificate that offers proof that the service provider or merchant is PCI compliant. If you’re a merchant, the service provider’s AOC shows that you fulfill some of the requirements in PCI DSS. An AOC is considered to be ‘Third Party Proof’ by the PCI Council.
A responsibility matrix is a list of requirements and indicates which requirements are the responsibilities of the service provider, the merchant, – or two service providers – and which are shared between them. A responsibility matrix is a great way to get an overview as to how much PCI compliance is simplified when choosing to place your environment in a PCI DSS certified cloud.
The responsibility matrix should for each requirement specify:
- How the service provider performs, manages and maintains the required control.
- How the control is implemented, and what the supporting processes are.
- How the service provider will showcase evidence as needed that controls are met.
It can look something like this:
This allows everyone involved to understand their role, undertake and deliver on their responsibility and continually keep your organization PCI DSS certified.
The 5 benefits of outsourcing to a PCI certified hosting provider
It requires a lot of effort to reach the requirements in PCI DSS. Outsourcing allows you to simplify your compliance efforts, saving you a lot on resources. Besides fulfilling the majority of requirements, there are other benefits of choosing a PCI DSS certified cloud platform:
1. Cost Effective
One of the biggest motivations for any business decision is cost. You want the best you can get for the lowest price possible. The case is the same with PCI DSS. Using a third party provider for PCI Compliance and security can save your business money.
Investing in an outsourced service allows for high levels of protection to be achieved without enormous investment in resources like staff and infrastructure. These cost savings can especially make a huge difference for small companies and startups.
2. Dedicated security specialists
Running a business is a lot like juggling. You juggle the different components that make up your business: products, profitability, costs, staff, etc. Add compliance and security to that and balls begin to drop.
One of the major benefits of outsourcing to a PCI DSS certified cloud provider is that you gain access to compliance and security experts. Those who know the ins and outs of PCI DSS – this knowledge is part of the package. You can stay up to date with the latest in the industry, including PCI DSS updates, innovative new technology and the latest tactics used by cyber criminals targeting the payment industry.
Having industry specialists on hand can also help you better identify vulnerabilities and weaknesses as well as improve incident response capabilities. This allows for a quick response to security and compliance issues.
3. Support around the clock
Protecting sensitive data is a 24/7/365 job. Outsourcing IT-operations to a hosting provider means that you get support around the clock, and can respond to threats and incidents immediately. When your network is monitored continuously you significantly reduce potential downtime and its impact on your clients.
4. Stamp of security
By choosing a PCI DSS certified provider, you can be sure that there is a high level of security where your data resides. The third party provider goes through the PCI DSS audit process every year, and has to have their security tested each quarter.
Using a PCI DSS certified cloud solution validates your security posture as a company that prioritizes safeguarding payment data. This will improve trust among your customers, and can be a powerful tool in your marketing efforts. In fact many customers are now informing themselves prior to selecting where and to whom they provide credit card data, and actively seek out this stamp of security.
5. Easier to scale
The goal for businesses is to grow, right? Cloud solutions are scalable in nature, and the same goes for PCI DSS-certified cloud hosting. You don’t have to invest in your own hardware, the hosting provider handles that for you. The solution is scalable as you grow, without affecting security.
Ready to audit and ensure your organization is PCI DSS compliant and partner with a trusted Swedish cloud-hosting provider? Reach out to our team at Complior to get your free quote.
Read previous post: Should you outsource?
Continue reading: Are you protecting your client data securely enough? Understanding PCI Levels