Google Wins PCI Compliance Certification for Cloud Platform

The cloud platform certification should appeal to companies looking to outsource the processing of payment data to a third party that complies with PCI requirements, analysts say.

Google Cloud PCI B

Google has validated its Cloud Platform for compliance with the Payment Card Industry Data Security Standard (PCI DSS) in a move designed to appeal to businesses handling large volumes of credit and debit card data.

The certification will allow companies to store and process payment card data on the Google Cloud Platform in a manner compliant with PCI's security requirements.

"We are offering the ability for customers that fall under PCI compliance rules to be able to build applications and services on top of the platform at Google scale," said Matthew O'Conner, product manager with Google's Cloud Platform group. "They can be sure the platform is validated against PCI specifications."

O'Connor said Google has been working with a third-party assessor for the past several months to get the various components of its Cloud Platform, such as the Compute Engine, App Engine, Storage Engine and Big Query analytics engine, PCI certified.

"PCI has long been on our roadmap," O'Conner said. "We have long had customers ask us to meet the requirements. We made a commitment to it, and now we can offer them a compliant platform."

The PCI mandate developed by Visa, MasterCard, American Express and other major credit card brands requires all companies handling payment card data to meet a formal set of security standards.

Companies that are not compliant with the requirements face stiff fines and other penalties if they suffer a payment card data breach. Over the years that PCI has been in effect, many companies have complained about the standard being too costly and cumbersome to implement.

The PCI Security Council, which administers the standard on behalf of the card brands, has recently begun requiring companies to ensure that any third parties handling cardholder data on their behalf also are PCI compliant.

"[So] in order for Google's cloud offerings to be adopted by large retailers, they needed to remove the PCI DSS compliance ambiguity about their services," said James Huguelet, principal at The Huguelet Group LLC, a consultancy in Sugar Grove, Ill. "This paves the way for Google's platform to be leveraged by merchants of all sizes."

Gartner analyst Avivah Litan predicted that Google's new PCI status would likely be of interest particularly for large businesses.

Large retailers often retain huge archives of customer cardholder data for a variety of reasons like chargeback management, fraud resolution and data analytics. The data presents a major risk for these companies and make them inviting targets for cyber-attackers.

"A lot of companies want to get rid of their PCI problem as much as they can," Litan said. "One way to minimize the size and scope of the security audit is to outsource as much payment data as possible" to third parties like Google, she said.

A PCI-compliant Google Cloud Platform gives retailers an alternative to having card data hosted and managed by their payment processor, Litan said. Google will still have to overcome the hesitation that many companies have about outsourcing any data, let alone something as sensitive as payment card data, to the cloud.

But for someone who already feels comfortable about outsourcing to the cloud, the new PCI-compliant Google Cloud Platform could hold some appeal, she said.

Google is not the only major cloud provider with a PCI-compliant platform. Others such as Amazon and Microsoft have achieved a similar certification for their cloud offerings. All Amazon Web Services that support storage, transmission or handling of payment card data are PCI certified, as are Microsoft's Azure services.

Jaikumar Vijayan

Jaikumar Vijayan

Vijayan is an award-winning independent journalist and tech content creation specialist covering data security and privacy, business intelligence, big data and data analytics.