Why payment data in the cloud means risk as well as complexity


30 Jun 2021

When considering migrating to the cloud, is the security and compliance around data getting enough attention?

Major changes over the last few months have led to a dramatic change in strategies. Adopting permanent hybrid working models for employees has left organizations questioning the need to maintain premised hardware and infrastructure. As a result, they're looking to downsize their footprint in this area and move everything into the cloud.

The cloud is offering what could be defined as a silver bullet for reduced costs, agility, scale and flexibility. For new virtual contact centers, these benefits are particularly attractive, especially when introducing agent-assisted online tools such as web chat to add to their customer contact mix.

However, in the wake of migrating to the cloud, is the security and compliance around data getting enough attention? While 75% of contact centers say data security is no longer a barrier to cloud migration[1], where you involve payment and personal data, things get a little more complicated.

As we take the first steps to a different looking future, for many businesses with contact centers, there remain some hurdles to overcome.

Things to consider when embarking on a cloud transformation project for your contact center

Responsibilities are unclear. Cloud providers need to make it quite clear how they will manage your data and what their roles and responsibilities are. You also need to understand where your liabilities and ownership lie otherwise security issues can fall through the gaps and open you up to greater risk.
You are not alone in the cloud. In public clouds other businesses are sharing the space and this can increase the risk because it's possible that someone could go beyond their environment and into yours to access your data, through either misconfiguration or poor design.

Some control is lost. Once in the cloud you're storing data on someone else's server. So, you don't have as much control over it, or the access to it, that you may have on-premise. You rely on your cloud provider to protect that data for you and they should be ready to provide you with their AOC for your annual audits. Remember however, responsibility of logical access control is not always covered by a cloud provider.

Data is more attractive. Hackers want data and the increased shift to the cloud has created more opportunities for them to get their hands on it. Defining the value of your data and knowing who has access to it will help, as will encryption, monitoring, strict identity or access controls and a tested incident response plan.

Existing security controls may not be effective. Cloud-based resources can be complex to configure so it's best not to assume that the controls you traditionally used will work as well in a cloud environment.

Biggest threat could still be an insider. The threats from trusted insiders are as serious in the cloud as they are on-premise. 64% of all reported insider incidents were due to employee or contractor negligence[2]. Robust education and training plus restricted access to critical systems can help.

What can you do to maintain payment security in the cloud?

Keep data out - full stop. Preventing sensitive personal or payment data from entering your cloud environment in the first place is certainly the most robust way to ensure payment security. If there's no data in your environment, it can't be stolen.

Cloud contact centers are great tools to enable contact center services. However, they do need to be built and configured properly, with correct access controls added. One simple change to a call flow can suddenly open a floodgate of payment data surging into your organization. The last thing you want to show in your audit.

Eckoh has been providing cloud-enabled secure payment and customer engagement solutions for over 20 years. Our watertight solutions are built to keep data out and de-scope all, or part, of your contact center from PCI DSS - reducing the burden of compliance and security, so you can focus on your core business.

Our telephone, chat, chatbot and IVR payment solutions plug straight into your cloud contact center environment to give you the reassurance that sensitive payment data is secure and cannot enter your organization.

To summarize

  • Personal and payment data in a cloud environment is a security risk.
  • You're responsible for payment data, so get to know where you sit in the responsibility matrix.
  • Truly get to know your cloud environment and provider.
  • Preventing payment data from coming anywhere near your systems, is the most secure option.

Our security specialists - Dave Holliday, Global IT Director and Kevin Vaughan, Head of Information Security - presented a session at PCI London Virtual on 30th June called Your Cloud provider may be compliant but is your payment data secure? If you missed it, here's your chance to watch it and benefit from their insight into the complexities, pitfalls and answers to securing payment data in the cloud.

[1] Calabrio - State of the Contact Center 2021
[2] Ponemon Institute 2018 Cost of Insider Threats Study