PCI Certification: Can You MOVEit to the Cloud?

It used to be an either/or decision: Either your clients could be certified for PCI compliance, or they could leverage a cloud-based solution for sending and storing sensitive data – but they couldn’t do both. All that changed this past week, as Ipswitch File Transfer announced that its MOVEit Cloud environment became the first of its kind to gain Payment Card Industry Data Security Standard (PCI DSS 2.0) Level 1 certification.

January 29, 2014

3 Min Read
PCI Certification: Can You MOVEit to the Cloud?

By Michael Brown 1

It used to be an either/or decision: Either your clients could be certified for PCI compliance, or they could leverage a cloud-based solution for sending and storing sensitive data – but they couldn’t do both.

All that changed this past week, as Ipswitch File Transfer announced that its MOVEit Cloud environment became the first of its kind to gain Payment Card Industry Data Security Standard (PCI DSS 2.0) Level 1 certification.

In light of all the high-profile credit card breaches of the past few months, this a big new for MSPs (and their retail clients) that want added the security that comes with PCI certification, without forfeiting the convenience of a cloud environment. Michael Osterman, principal analyst with Osterman Research and an expert in cloud computing and IT security, had this to say in response to the announcement:

“Ipswitch’s decision to make its cloud environment compliant with PCI DSS is an important move for the company, but also for the entire cloud delivery model,” he noted. “By enabling PCI compliance in a leading cloud offering, particularly in the wake of recent revelations about more than 100 million cardholders’ information being compromised, retailers and others can be more confident about using the cloud to manage their sensitive data.”

It would be beneficial here to quickly point out the difference between PCI compliance and PCI compliance certification. It’s a distinction that is habitually misunderstood by smaller businesses, many of whom might end up as your clients, so here is an easy way to frame the conversation:

  • PCI compliance is a self-assessment that can be reviewed and confirmed by an audit. This status is claimed by almost every retail organization, large or small.

  • PCI compliance certification is a rigorous, third party assessment that must be reviewed and confirmed by an audit. Traditionally, this was only relevant for level 1 service providers (the big-time players, in other words).

Regardless of the degree, managed service providers know just how importance compliance can be for a client (and we’re not just talking about PCI). In fact, many times compliance will be the decisive factor in which solutions can be adopted and which ones – however popular – cannot be considered. If it’s not compliant, it’s not an option.

The latest move by Ipswitch File Transfer is a promising one – and one that is hopefully reflective of the cloud industry in general. It should be clear by now that businesses genuinely want to adopt cloud-based solutions for almost everything; from email and file-sharing to data storage and procurement. They see the ease-of-use, the lower costs and the ability to scale with minimal effort and resources. But of course, if they can’t leverage the cloud in way that is compliant with the laws (and in a way that doesn’t compromise security) then they have no choice but to stick with the status quo.

If developments like this are any indication, it’s not far-fetched to say that every business function could soon be handled in a cloud environment. Bad news for the hackers, but great news for MSPs and their clients. 

Read more about:

AgentsMSPsVARs/SIs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like