Executive Insight: Get Your Head Out of the Cloud
By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation
American author Wilferd Peterson famously wrote, “Walk with the dreamers … the doers, the successful people with their heads in the clouds and their feet on the ground.”
Taken slightly out of context, this quote offers a great warning to today’s tech world. As more organizations consider offloading their data to the cloud, it has become increasingly important to ensure that their feet are planted firmly on the ground and that they are fully aware of what they are getting into.
Now, don’t get me wrong, we recognize the benefits of a cloud-based solution. Much of our offering, which we refer to as Software-as-a-Service (SaaS), could today be described as “cloud-based.” For business owners, cloud solutions offer lower costs, reduced IT stresses, less infrastructure, and more convenient scalability. But at what cost?
As you consider moving more of your business to the cloud – perhaps by implementing a cloud-based point-of-sale (POS) or property management system (PMS) – here are three key points you need to consider:
Where’s My Data?
If you post your customer data to the cloud, do you know where it goes? Does it stay in U.S.-based data centers or could it be in China, Russia, or some other hacker haven? Google has admitted that they don’t know where all of their customer data is at any given time. If Google, with all of its resources, can’t even keep track of where cloud data is, can we expect the average POS vendor to do so?
Assuming your data is encrypted and/or tokenized and you’re not worried about hackers, do you have any reason to be worried about which country is playing host to your data? Right now, in the U.S., the answer is no. However, if you do business in the European Union, you are bound by legislation that governs where and how you can store sensitive data – and we’re not just talking about credit card numbers. In the EU, any database that holds two pieces of personal data, which could include things as mundane as an email address and phone number, must be encrypted and cannot be stored outside of the EU.
What if we see similar legislation proposed here in the next few years? If you hold data as simple as your clients’ full names and email addresses, you could be subject to similar regulations. Would you be able to prove that your customers’ data never left the U.S.? It’s something to consider and to question before you jump into a cloud solution.
Who is Responsible?
If you upload your customer data and credit card data to the cloud, who is responsible for that data? According to the Payment Card Industry Security Standards Council (PCI SSC), not only are you still accountable for that data, but according to PCI Data Security Standard (PCI DSS) Requirement 12.8, you are responsible for managing any service providers that process, store, or transmit cardholder data on your behalf. You have to check-off on your self-assessment questionnaire that you are properly managing service providers.
Not only might you be responsible to know the policies of your cloud-based service provider, but also of their cloud storage company, or any other vendors that may have access to their cloud for security or service reasons. The chain of custody could rapidly become very complex. And if they are not a PCI-validated service provider, you can’t rely on their PCI certifications to validate your own compliance. (Lucky for you, we are a PCI DSS-validated, Level-1 service provider, and in the Security Corner of our website, we provide you with a one-stop-shop for all of your Requirement 12.8 responsibilities. Also, we don’t use other service providers to process, store, or transmit your cardholder data. So saying that Shift4 holds all of your sensitive data actually can help you reduce scope and simplify PCI compliance.)
PCI issues aside, is the solution you are considering one that you have complete confidence in? Before you let anyone else handle your sensitive data, you had better be certain that they do things the same way you would do them yourself. (Or, if you’re outsourcing due to a lack of resources, that they do things the way you would if you had unlimited staff and resources.) Before we built out our newest data center in the Switch SUPERNAP, we spent months going back and forth with them. Even though Switch was only providing the physical space and power for our systems – and would not ever have access to our data or hardware – we wanted to confirm that their security protocols (considered by many to be the best in the industry) conformed with our methods and requirements (which, as you might expect from Shift4, far exceed those of the PCI DSS). We adjusted a few things based on their expert experience, and – we’re proud to say – they made a few adjustments based on our expertise as well. This is the kind of relationship you want to find when it comes to securing your data. You need someone who is as meticulous as you are.
One more thing to consider if you’re looking at offsite storage of your data is its exact location and who outside of your company has physical and/or logical access to it. Your customer data should be encrypted and/or tokenized before it is relinquished to any service provider. Does the data processing solution you might be considering encrypt the data before it is transported out of your environment, or are you relying on the vendor to do that for you? This is why Shift4 is not a completely cloud-based provider. We prefer to have our Universal Transaction Gateway® (UTG®) running at your location so that we can ensure everything is securely encrypted before it is transported out of your network to our secure data centers. Ideally, our P2PE solution should be used to encrypt the data before it even enters your systems.
What Do I Lose?
Even if you find a service provider with security that meets your standards, you have to realize that security is not your sole consideration. By moving your data out of your environment, you give up some level of connectivity and control over that data. If a hotel’s entire PMS is cloud based, what happens if their Internet connection goes down? Being Shift4 customers, you may still opt to process payments using Secure Offline Stand-In, but how will you know which rooms are available, which ones have been cleaned, and whether this customer is a VIP who should be bumped into a suite? Do you invest in a secondary Internet connection? Not only does that come at an extra monthly cost, but from an IT perspective it’s a lot more difficult to set up than you might expect. Unless you have someone on your staff who understands load-balancing, A/B configurations, fail-overs, and port configuring, you probably don’t want to go that route.
Remember also that one of the key reasons to go to the cloud is limited hardware requirements. It may seem obvious, but many people overlook the fact that limited hardware limits what you can do. If you outsource the services you currently use to cut (or encode) room keys, manage your PBX, or even control your credit card devices, then you lose the ability to do any of those things when your connection is down. You also lose a factor of speed and reliability by moving these capabilities out of your environment. This has the potential to become even more of a challenge as the U.S. EMV mandate takes hold and we have new timing issues and considerations to worry about.
Some companies opt to run a cached backup of their whole system as a fail-safe against connectivity issues, but if you’ve got everything backed up in-house, have you really saved time, money, or resources? What did the cloud buy you?
We look at most of the push toward the cloud as what we like to call “Jurassic Park” technology. What is that? Well, like we learned from the Crichton novel turned Spielberg blockbuster, just because we can do something doesn’t mean we should. Storing personal data, payment card data, health data, and who knows what else in a system that is designed to be ubiquitous is just not a good idea. Private clouds, on the other hand, can be effective if they are properly managed. Do your homework. Don’t look for the easiest solution, look for the best solution. Make sure that service provider will protect your customers’ data and your brand reputation as if it were their own. And, finally, be sure you know exactly what capabilities you are giving up before you move any data or capabilities to the cloud.
This article has introduced several important questions for you to ask a potential cloud-based service provider. Remember, before you make any change to your POS/PMS, you should discuss the possible ramifications with your IT representatives and your QSA/ISA, as they are uniquely qualified to give advice for your specific situation. If there is any question you feel we can help you answer, feel free to email email@example.com or call our 24/7 support staff at 702.597.2480 (option 2).