Blog article
See all stories »

Multiple birds, one stone: how the cloud simplifies GDPR and PCI DSS compliance

Cloud technology has become critical to operations in many organisations. Providing an agile environment to host infrastructures and run processes and applications, it represents a relatively easy and cost-effective way of boosting performance.

While this is the case for most, the financial services industry has traditionally shied away from cloud adoption for reasons including strict regulations, uncertainty around security and the cost of migration. However, with a thriving competitive fintech start-up scene and, ironically, a host of new upcoming regulations, financial services firms are being forced into action.

Evolving regulatory landscape

The looming EU General Data Protection Regulation (GDPR) is one such ruling. Due to come into effect 25th May 2018, it provides a blanket law for all EU members and replaces The Data Protection Directive. While there are many differences from current regional laws, the variance receiving the most attention is that non-compliance fines are increasing to up to €20 million or four percent of global turnover, whichever is higher. The industry finds itself in a frenzy as it struggles to familiarise itself with the requirements before the deadline but, with just over a year left, time is quickly running out.

Another regulation many financial services firms have to conform to is the Payment Card Industry Data Security Standard (PCI DSS). Relevant to any company that stores, processes or transmits cardholder data, compliance entails numerous measures. While these can often require heavy investment, the cost is outweighed by the potential fines which are levied for both non-compliance and any data breach suffered.

Why the cloud is the solution to the complex regulatory challenge

One function that is being mass migrated to cloud alternatives is communications. Instead of managing the function internally, financial services companies are quickly seeing the benefits of using cloud communications providers that work as ‘data processors’. The role puts the provider in the regulators’ firing line as well, meaning they are more likely to have invested in the necessary features and processes to ensure compliance.

For instance, to satisfy GDPR, ‘data controllers’ (the financial services firm in this example) must ensure robust encryption and security for any customer data, including payment information, stored in call, video or any other format. Legacy telephony solutions and most standard web collaboration systems do not have the capabilities to guarantee this; but cloud telephony providers will have invested in secure cloud environments that can also protect data with robust encryption at both rest and in transit. This capability is also a requirement of PCI DSS.

Moreover, storing within cloud environments also means that more advanced search functions can be used. Search criteria can be more granular, enabling controllers and processors to pick out specific words and phrases from archived logs. This means that only the required data is extracted, leaving the rest of the recording firmly under lock and key within the archives.  

Another requirement that overlaps the two regulations is around credit card data handling. At any given time, only a credit card processor should be able to access recorded payment information. To help achieve this, cloud communication solutions provide the ability to collect payment data via a secure Interactive Voice Response (IVR) facility that integrates with payment processing providers. As all communications between company and customer are recorded regardless of method, the IVR removes any payment details discussed from recordings and sends them to the payment processor. This ensures that controllers only have access to the edited logs, while processors have access to the credit card data.


Embracing cloud technology is essential to achieving compliance with increasingly stringent regulations. While the plethora of rulings may have different end goals, there are so many overlaps and cloud technology is empowering financial services firms to effortlessly comply with all of them. Furthermore, investing in cloud represents an intelligent investment. Not only does it ensure compliance with current and imminent laws, but the speed of innovation means it is constantly being developed so it can meet the requirements of emerging regulations.






Comments: (0)

Now hiring