Do You Have A Written Security Policy?

One of the myths among small business owners is that if a business moves its data to the cloud, you don’t need to worry about maintaining PCI Compliance; this is totally untrue.  Even if your data is handled by a third party provider and in the cloud, you are still responsible for maintaining a security policy document and abide by PCI requirements.

According to the PCI Council (American Express, Visa, MC, Discover, and JCB), organizations shouldn’t expect a PCI-validated cloud provider to relieve them of their PCI obligations. To be PCI DSS compliant, tenants still have PCI obligations.

If your business handles credit card transactions and this information is stolen or subjected to a breach, you will be formally asked by the authorities to present a valid Security Policy and a copy of your PCI Compliance Certificate.  The odds are that if you don’t have either one, it will be very difficult for you to deflect responsibility to any third party and you may be liable for all damages and claims from credit card holders.

So, a quick recommendation from someone who has seen his share of disasters caused by upset employees or mid-level hackers: At the very minimum, create or update your security policy now before it is too late.

Gerard Louise

Technical Support International, Inc.