FireHost, the secure cloud hosting company, is further protecting payments processing cloud applications with its Payment Island solution. By decoupling credit card databases and transactional applications from monolithic IT environments, institutions responsible for storing, processing or transmitting credit card data can reduce their scope of compliance, provide better security, and achieve audits faster by reducing the risk profile associated with cardholder data. Presently, FireHost processes more than $20 billion dollars in transactions per year in its Payment Island on behalf of eCommerce and retail companies (merchants), payments processors, card issuers and other financial institutions.
Kurt Hagerman, director of information security for FireHost, said that by improving performance within the cloud environment, a Payment Island provides responsible organizations with a safe haven for regulated payment card data. This kind of advanced protection requires specialized tools and expertise, and navigating these cyber threats and the regulatory landscape should only be trusted to a secure, managed cloud IaaS. FireHost Payment Islands were created to mitigate its customers’ compliance burden by decoupling their regulated data from their own IT environments, thus reducing risk.
By isolating the payment engine through network segmentation, Payment Island essentially provides a data vault for businesses that process transactions in the cloud. By cross-connecting into a customer’s own infrastructure within a data center and storing data outside typical administrative permission controls, the service eliminates latency and scales to provide resources on demand.
Now, in version 3.0, the FireHost Payment Island is updated regularly to ensure alignment with current Payment Card Industry Data Security Standard (PCI DSS) standards, but that’s really just a starting point.
“This is a game changing, managed cloud compliance solution,” Hagerman said. “FireHost’s Payment Island provides customers a private cloud experience that protects transactional applications by removing regulated data from local or regular hosting facilities and storage and masking and cloaking it in the most sophisticated cloud infrastructure available. The Payment Island provides administrative controls by segregating data from the corporate active directory (AD) permissions, so that customers can more tightly lock down and protect the information from internal threats.”
This concept was covered in a Dec. 2012 Gartner Research Note, “Become PCI Compliant by Choosing the Right Hosting Service Provider.”
According to Tiny Haynes, research director for Gartner and author of the research note, “Any site that handles credit card information needs to put in place the correct, far-reaching security processes and infrastructure to be PCI DSS compliant.”
He also recommends isolating the payment engine from the rest of the hosted infrastructure via network segmentation to reduce the scope of the PCI DSS requirements, and to “choose service providers that have already certified their operations as being PCI compliant. This will help you save time and resources, since you are obligated to use only PCI-certified providers.”
Jed Danner, head of IT development at gotoBilling, agreed. The company, which has built its business model around offering a secure, compliant and easy payment platform, uses FireHost’s Payment Island to protect its customers’ personal and financial information in the cloud.
“FireHost understands PCI compliance unlike any other cloud services provider, and that makes a huge difference to our business,” Danner said. “The network design of FireHost’s Payment Island makes it easy for us to keep our clients secure and meeting compliance, which is mandatory for our success.”
The PCI DSS 3.0 standard is currently in its final phases of development. The final standard will be published in November and will then become effective Jan. 1, 2014. Although PCI DSS 3.0 becomes effective in January, compliance with 3.0 is not mandatory until January 2015.