Previously we talked about Pragmatic PCI and applying just enough process to ensure you understand and execute your processes in a PCI compliant manner.
What about when you inject “The Cloud” into the picture?
PCI Compliance isn’t something that someone can sell you and even a PCI compliant environment can be misused - creating a hole in your assessment.
What is special about the cloud from a PCI perspective?
First off, you don’t control the physical environment and therefore you are dependent upon your provider’s physical security measures to maintain compliance. This doesn’t need to be a problem as there are numerous providers available now that can provide “bare metal” that is certified compliant for you to work from.
You still are likely to have the responsibility of maintaining the virtual machine environment, updating operating systems, app servers, frameworks, applications and databases. How do you offload that responsibility even further? PCI is all about the cardholder environment and the protection of Primary Account Numbers (PANs).
Cloud or on-premise, the guidelines are the same and keeping your exposure minimized is key to simplifying your PCI compliance.
Isolating your cardholder environment and ensuring servers have a single purpose is key area of compliance and if you can leverage a cloud environment and a providers physical security to meet this goal, so much the better.
For more on PCI and how it might impact your API strategy, check out our live webinar this week - "Does your API need to be PCI compliant?" If you can't catch the webinar we'll send you the video..
(And a shameless Plug: Apigee also offers a full managed PCI-compliant Cloud API management service. )
Next up, Knowing Your Data before the Auditors Do.