Meeting Payment Card Industry Data Security Standard (PCI DSS) compliance can be very complex and costly. If you are not clear how to achieve PCI compliance in a hybrid cloud environment, this article will guide you through the key points and considerations to get you there.
Firstly, there are various architectural options to choose from:

1. Store sensitive data on a third-party provider’s infrastructure which is PCI DSS compliant.
2. Use a payment gateway’s encryption service to store and encrypt sensitive information. Your server can send this information via APIs to transmit sensitive information.
   
3. Use a payment gateway’s encryption service to store and encrypt sensitive and transmit it to third-party via browser.

Upon getting the architectural guidelines, the following steps will help you get your infrastructure, either on private, public, or hybrid cloud, to PCI compliance.

1. Understand PCI guidelines for cloud computing

PCI has setup standards and guidelines for different deployment models such as public cloud, private cloud, community cloud, or hybrid cloud and for different cloud service categories. As per the guidelines, customer and cloud service provider secure their respective infrastructure. Exact responsibilities between customer and provider can be discovered at the early stages. Here is a sample of how PCI DSS responsibilities may be shared between clients and cloud service providers (CSP):

2. Know your cloud provider

PCI guidelines give you set of questions for your cloud service provider to validate its PCI compliance. This information should be given to an auditor so that it can be verified during the audit process. Primarily, it’s your responsibility to meet the PCI compliance, so proof of compliance and certification must be checked.  Ask questions of the CSP and verify the responses, for example:

• What does each service consist of exactly, and how is the service delivered?
• What does the service provide with respect to security maintenance, PCI DSS compliance, segmentation, and assurance? What is the client responsible for?
• How will the CSP provide ongoing evidence that security controls continue to be in place and are kept up to date?
• What will the CSP commit to in writing?
• Are other parties involved in the service delivery, security, or support?

3. Think about security of complete infrastructure and understand significance of the PCI DSS compliance while deciding private vs public cloud

Remember that only servers that store sensitive information fall under this regulation, so you can choose private cloud only for PCI workload and other load can stay on public cloud; this option may provide some cost savings. Although PCI compliance is very important, it’s just a single component of overall security. It’s very important to start with the bigger picture and come down to the PCI compliance component of security so that you meet your comprehensive security needs.

4. Get cloud-based compliance tools and automate compliance process as much as possible

Scalability, obviously, is an important part of being on cloud, so tools being used on traditional datacenters are not enough. Cloud-specific tools can provide security access across environments. To reduce the impact on operations and gain the full benefits of the cloud environment, security groups must get consistent visibility. Since operations of cloud environments are very agile, manual dependencies create bottlenecks. Compliance tools should be automated by integrating with tools such as Puppet and Chef.

5. Create a long-term security approach for PCI implementation

Even if you plan to store PCI data on premise and to store other data on cloud, security should take care of both environments. Your solution should provide single view of overall security across cloud and on premise. The solution should have flexibility for future enhancements to meet long term vision.
In addition to the business and risk considerations, the implementation of security controls in a cloud environment may require specialized technical knowledge and skills. It is therefore crucial that, prior to migrating payment card operations into a cloud environment, an organization engages their technical, legal, due diligence, information security, and compliance teams to work together to define the client’s needs and evaluate potential cloud service offerings against those needs.
References:
www.pcisecuritystandards.org
www.cloudpassage.com
www.rackspace.com
 

Implementing new order management system is always exciting for any company regardless of its size. Even after implementing one of the most mature systems, roll-out strategy can be very challenging because of the number of systems it interacts with.
Though there is no clear answer because each organization has different business objectives, timelines and budget, but there certainly are some guidelines that can help choose the right strategy.
One of the most important step which organizations usually overlook is the success criteria. It should be clearly measurable and focused on the solution. There could be various success criteria for instance customer receiving the product and funds getting collected. To summarize there are certain criteria which are compulsory and there are others which are nice to have. Eventually, these criteria will help the organization decide whether the solution will be rolled out or not.
On a high level, here are some possible options:

• Big bang: in this option new system takes over on a given day. All the features of the new system are available to the user on the same day. Old system is off and all users can start using the new one.

Image source: Wikipedia

• Pros
  • Users need to learn only one system. They don’t need to learn how to manage business process in two systems.
  • Implementation period is short which means cost is low.
  • Return on investment is quick.
• Cons
  • The risk involved is very high.
  • Efficiency can be reduced because of users trying to learn the new system.

Even after very long QA cycles, sometimes validating the solution in production before the actual go live can give the desired confidence to business and IT. Some organizations try a fixed number of orders in new system and then go back to the old one for regular processing. After doing this exercise multiple times, organizations feel comfortable with the big bang approach.

• Phased: this option provides users particular features in phases. For example: phase one will let users manage orders from one channel. Phase 2 will take care of another channel and so on. Phases can be defined using different strategies such as by region, by order channel, by product line, by customer type and so on. It is very important to define the success criteria so that solution can be rolled out to the future phases.

Image source: Wikipedia

• Pros
  • No need to plan for user training because users can learn on the go.
  • Less amount of risk is involved as compared to big bang.
• Cons
  • Return on investment takes long time.
  • Temporary connections between old and new system are needed.

• Parallel running: in this approach both systems run in parallel and perform all the actions. This approach gives users opportunity to compare the behaviors of old and new systems.

Image source: Wikipedia

• Pros
  • Very less or no risk involved.
  • Users can learn on the go.
• Cons
  • Users are maintaining two systems so this is not the most efficient approach.
  • This would require bigger operations team and two systems running in parallel is very expensive.

Some of the important factors that help an organization determine the best rollout strategy are number of systems involved and nature of business. Finally, each organization is different, so based on cost, time lines and amount of risk, what is best for it should be determined.