As it does relatively frequently with other topics, Google recently released a set of guidelines to help organizations ensure that any payment processing applications of theirs running on top of Google’s cloud platform comply fully with the requirements of the PCI DSS.
The Payment Card Industry Data Security Standard refers to a set of security controls that all organizations handling credit and debit card data are required to implement. The requirements vary depending on the number of credit card transactions an organization handles in a year.
Organizations that are not compliant and suffer a payment card breach can face stiff fines and other penalties from the major credit card associations, including MasterCard, Visa and American Express.
Google’s guidelines are meant specifically for e-commerce merchants who have hired PCI-validated third parties to handle their payment processing requirements. Merchants who fall into this category are those whose Websites accept payment card transactions but that do not electronically store, process or transmit any cardholder information themselves.
Google’s tutorial is designed to help such organizations design, deploy and configure PCI-compliant payment applications on the company’s cloud platform, Google Cloud Solutions Architect Peter-Mark Verwoerd said in a recent blog post.
To do that, Google’s tutorial uses the example of an e-commerce Website that sells subscriptions for a business-accounting software service to walk users through how to set up a PCI-compliant payment application.
The sample Website is designed to let customers input their credit or debit card information into a form that is owned and maintained by the e-commerce site. It is configured to securely send all payment card information that is entered into the form to an external payment processor, which in this case is Google. The processor checks the card information and then either approves or declines the transaction and relays that information back to the e-commerce site’s payment application.
According to Google, customers of its cloud platform can take advantage of a slew of its technologies and services to implement a PCI-compliant payment application. For example, technologies like the Google Cloud Deployment Manager can help organizations automate many key application deployment-related tasks and allows administrators to use simple commands to set up firewall rules, load balancers and cloud gateways, the company said. Using Cloud Deployment Manager gives administrators the additional benefit of constructing an audit trail of how the environment was created and deployed, Google said.
Similarly, automated configuration management tools like Puppet, Chef and Ansible can help organizations take a lot of the complexity and grunge work out of application configuration.
In addition, Google Compute Engine offers an easy to use application for accepting credit card data and passing it along securely to the processor while managed services applications like Stackdriver enable application monitoring and logging. The Google guide also touts the use of the company’s BigQuery data analytics service for log analysis purposes and for running ad hoc queries against log data.