Google Cloud Platform Receives PCI-DSS Compliance Certification

The Google Cloud Platform is now compliant with the Payment Card Industry Data Security Standard (PCI-DSS), the search engine company announced on Tuesday.

PCI-DSS is a security standard for organizations that handle payment card information. Now that Google’s Cloud Platform is complaint, its customers will be able to store, process and exchange cardholder information.

“PCI DSS provides a comprehensive and robust security framework for securing credit card information and transactions. Google is using these third-party audited standards to deliver a platform on which application developers can create and operate their own secure and compliant solutions,” Google Cloud Platform Product Manager Matthew O’Connor explained in a blog post.

One of the first companies to benefit from the PCI-DSS compliant Google Cloud Platform is the United States-based online payment services provider WePay.

“Moving our hosting entirely into the cloud is something we’ve wanted to do for a long time. It will enable us to add more servers in seconds to deal with spikes in demand and give us more flexibility to do systems maintenance without impacting our customers,” said David Nye, director of DevOps at WePay. “But as a payments facilitator, we protect our customers by complying with the highest level of the PCI DSS, and that has made the move into the cloud more complicated than it is for many tech firms who don’t deal directly with payment infrastructure.”

Version 2.0 of PCI-DSS is valid only until December 31, 2014. The new sub-requirements introduced by PCI-DSS 3.0 will be considered best practices until July 1, 2015, when the new standard becomes mandatory.

The changes introduced with PCI-DSS 3.0 are designed to help organizations focus on security, instead of compliance.

“A shift is needed in how businesses think and view compliance and security. Asking ‘Am I compliant?’ is not the same thing as ‘do I have a strong security strategy for protecting my customer’s payment card data?’ Security requires a daily coordinated focus on people, process and technology and must be part of business as usual,” Bob Russo, general manager at the PCI Security Standards Council, told SecurityWeek in June.

The latest version of the standard also seeks to help organizations mitigate the risks posed by third-party service providers.

“Updates introduced with PCI DSS 3.0 and recent released Special Interest Group guidance aim to help organizations adequately address payments risks in their contracts with third parties and perform ongoing due diligence to ensure sufficient levels of card security are maintained by their business partners,” Troy Leach, CTO of the PCI Security Standards Council, told SecurityWeek last month.