Business Strategy
Channel Insights
Stay Connected
Acer America
Acer America Corp. is a computer manufacturer of business and consumer PCs, notebooks, ultrabooks, projectors, servers, and storage products.


333 West San Carlos Street
San Jose, California 95110
United States


ChannelPro Network Awards

hello 2
hello 3


December 7, 2021 |

Cloud Scoping

The Cloud Security Alliance and PCI SSC encourage businesses to identify all people, processes, and technologies that could impact payment security.

WHEN A CUSTOMER taps a credit card at a small business, the processing almost always happens in the cloud. Since the business is ultimately responsible for the security of that transaction, it needs to conduct “cloud scoping” to identify which upstream companies are involved, and where the financial data gets stored. The issue has become so important that the Cloud Security Alliance and the PCI Security Standards Council (SSC) issued a joint alert that stressed cloud scoping to improve transparency, accountability, and security.

“Scoping cloud responsibilities assists in providing focus to assessments, procurement, and security management,” says Jim Reavis, CEO of the Cloud Security Alliance. He believes organizations are doing a better job at it, but need help understanding how the cloud is defined, structured, and delivered. “Transparency on the part of the cloud providers and an informed customer are the keys,” he adds.

“The focus should be on data protection,” says Troy Leach, senior vice president and engagement officer of the PCI SSC. Too many organizations think bringing in a third-party cloud service provider (CSP) is the only step necessary to secure payment data. However, Reavis warns, many CSPs have dependencies on other cloud providers “that are opaque” to the customer, such as backup, authentication, and security providers supporting the CSP.

One of the difficulties in cloud scoping is getting the transparency needed to see the full chain of providers and where the data finally resides. When a customer asks their SaaS provider questions that apply only to a physical data center, that’s a clue they need help with cloud scoping.

A cloud scoping exercise by channel pros on behalf of their customers will establish internal processes to make cloud security a priority, says Leach. “Limiting exposure to payment data reduces the chances of it being a target for criminals.” The PCI and CSA joint statement dives deeper into this topic.

Areas of focus in a cloud scoping exercise include maximizing the use of strong cryptography and encryption key management practices, along with implementing multifactor authentication globally to protect against common credential attacks on consumers, merchants, and service providers. Ensuring that upstream providers perform routine administrative operations such as patch management, verified code updates, and configuration management is essential too.

For some companies subject to relevant compliance requirements, checking that data is stored only within appropriate geographic boundaries will be necessary. Add in inspecting the security of development operations, outlining the source of all software components in the payment solution, and confirming system resiliency for application availability and data backups, and you can see that a cloud scoping exercise requires diligence.

“The main benefit of a scoping exercise is greater clarity to where payment data may exist and who may have access to those resources,” says Leach. “Proper scoping of cloud environments is a significant step in that process for organizations that utilize cloud services and associated benefits.”

Image: iStock

Editor’s Choice

ChannelPro LIVE: Baltimore Builds MSP Relationships, AI Wows Them

May 17, 2024 |

The day-and-a-half event at the DoubleTree by Hilton in Pikesville, MD, featured business-enhancing educational sessions, networking opportunities, and a detailed look at cutting edge technology from leading vendors.

Verizon’s Strategic Vision for MSPs: A Conversation with Channel Chief Mark Tina

May 15, 2024 |

Verizon seeks to build relationships with IT services providers based on partnership, innovation, and support.

Deepfakes + Generative AI = Major Problems for Business

May 14, 2024 |

Deepfakes that can’t be distinguished from reality threaten to shatter the fundamental hierarchy of human trust and impact businesses.

Related News

Growing the MSP

Explore ChannelPro


Reach Our Audience