Google Joins Amazon, Others In Gaining PCI DSS Validation

Google Cloud Platform, the company's portfolio of cloud computing products and services, achieved validation for compliance with the Payment Card Industry Data Security Standards, the company said Tuesday.

The Mountain View, Calif.-based online computing giant said the PCI-DSS validation enables users to hold, process or exchange cardholder information on the platform. Google Cloud Platform is aimed at software developers who build, test and deploy applications using Google's infrastructure.

"Google is using these third-party audited standards to deliver a platform on which application developers can create and operate their own secure and compliant solutions," wrote Matthew O’Connor, product manager of Google Cloud Platform, in a blog entry announcing the validation.

[Related: Retail Credit Card Breaches: Payment Industry Faces Long-standing Hurdles]

Sponsored post

The PCI compliance was validated by an authorized independent Qualified Security Assessor. The validation enables PCI Level 1 merchants to use the platform for their processing services. Google's O'Connor highlighted payment platform maker WePay, which can now use Google infrastructure to support its ecommerce website and small-business software provider clients. Prior to the validation, the company was required to use PCI-compliant hosting providers with dedicated servers.

The PCI-DSS validation lets merchants and payment service providers use Google's infrastructure and achieve PCI DSS compliance, said Ben Goodman, president of 4A Security, a managed security service and risk management consultancy based in New York. PCI-DSS is no panacea, but it is a good standardized framework that contains prescriptive requirements for protecting cardholder data, Goodman said. It provides a useful baseline for measuring compliance over time, he said.

"Merchants must understand that no matter what, they always retain liability and always retain the risk," Goodman said. "As long as they architect things properly and manage their end of security system correctly, it limits the scope of PCI compliance."

Amazon Web Services gained PCI DSS validation in 2010, enabling it to support Level 1 merchants that conduct more than 300,000 transactions annually. The validation covers the company's storage platform S3.

Google's PCI DSS validation comes at a time when the payment industry is reeling from a string of high-profile retail data breaches in 2014. The breaches have shed light on point-of-sale system security and prompted the card brands to push merchants into adopting modern, chip-enabled POS systems to reduce fraud. Security experts, however, say broad adoption, expected over the next several years, will push criminals into conducting more online fraud as it has in Europe and Asia, where the systems are widely used.

In addition to PCI DSS, Google Cloud Platform is ISO 27001 certified and is validated under HIPAA, SOC2/SOC, and SSAE 16.

Google Cloud Platform supports a variety of services, from using its compute power to establishing Hadoop clusters for big data projects. The company has cut prices five times since March on several features of its cloud, but said it is committed to expanding its partner ecosystem adding implementation and service partners. The company believes its Docker, an open platform for developers and system administrators, and Firebase, a Backend-as-a-Service (BAAS) for web applications, provide opportunity for the channel.

Google launched Cloud Interconnect in November, enabling enterprise customers to connect their infrastructures to the cloud platform with secure network connections. The service relies on a VPN tunnel to secure the connection. It is offered by Google to support data-intensive and latency-sensitive applications.