Power through the challenges of moving your payments to cloud

PCI-DSS requirements bring cloud deployment complexity to another level

It is a challenging task to design an infrastructure, tools, and procedures to be compliant with payments industry security standards. To ensure compliance with PCI-DSS requirements, you should be prepared for significant investments to build the solution design and knowledge base within operational teams.

Data location is limited by customer requirements

Data residency and sovereignty are important aspects for payment industry participants (especially within the EU region), when assessing overall solution security. Our experience shows that with proper planning, design, and implementation it is possible to assure required data protection levels. This concerns both the data residency and security, where various legal and regulatory requirements (e.g., PCI-DSS) need to be taken into account.

Network latency becomes a factor when building distributed systems

When moving into hybrid cloud environment (by lift-and-shift approach), initial customer expectations regarding overall solution performance might prove to be overestimation at best. Careful deployment planning is required to minimize the latency impact on mission critical online systems. It is worth noting that latency impact is directly linked with software architecture and data volumes the solution must process. The higher the transaction volumes, the more effort must be put into cloud-based deployment design.

Latency depends not only on physical distance, but on the network infrastructure stability, as well. Public, shared network might not be sufficient for backbone data transfers within distributed software systems. Dedicated infrastructure with isolated channels and controlled setup is a solution to achieve guaranteed data throughput and low latency levels required by mission-critical online software systems.

Compliance is key when creating remote access

Distributed systems introduce a need for remote access. These access channels must be formed so that they are compliant with PCI-DSS requirements, even if routed over public network infrastructure.

Cloud providers lack services that are specific to the cards processing industry

There are several items that are specific to cards processing solutions and not met in any other industry. For instance, none of the public cloud companies provide payment HSM and Visa/MasterCard connectivity devices as a service. To accommodate these, you need to review co-location options, for example cooperation with private data centres. Another option is to host said devices in your own data centres, but this increases the PCI-DSS certification scope.

The good news is that with constant push from the industry, we do expect to see payment HSM and Visa/MasterCard connectivity devices becoming available as a service in major cloud provider portfolios. Until then, many of our customers in the Nordics have chosen Tietoevry private cloud HSM hosting and management services with considerable success.

How to build an application architecture that helps to gain the full advantages of the cloud? Read our next blog and find out .