PCI Compliance: What You Need to Know About Office 365 and G Suite
By Angela DiacoCompliance with PCI requires a multi-layered approach, and securing employee and customer data wherever it lives should be your number one priority. Luckily, Software-as-a-Service (SaaS) vendors like Microsoft and Google build in controls to ensure sensitive information is blocked from view, so you can ensure you’re in the clear. For example, by using Microsoft’s DLP tools and other methodologies, IT administrators have the power to automatically detect and “block” sensitive data like credit card information in Office 365, insuring themselves against a breach or unfortunate leak.
So what does this mean for PCI compliance for your backup solution? Because tools like Office 365 and G Suite allow you to stop employees from sending sensitive information, your backup solution will not have access to sensitive information to store. The result? One fewer vendor to have to chase down for a PCI audit.
To illustrate this point, see Microsoft’s statement on PCI compliance as it pertains to Office 365:
“With features like Data Loss Prevention (DLP), Advanced Data Governance, Azure Information Protection (AIP), you can turn on policies to automatically detect and label sensitive content when data like Credit Card Numbers, SWIFT codes, ABA routing numbers, etc. are present.”
When your SaaS collaboration tools give you the ability to prevent sensitive information from being exposed on your network, your backup solution will not have sensitive information to store or leave vulnerable to attack.
Checkout Google G Suite’s statement on PCI:
“G Suite is not meant to process or store credit card transactions.”
In essence, if you can secure sensitive information within your SaaS tools upfront, you don’t need to worry that this information will be exposed in your backups. While both platforms provide details around how to prevent users from storing/sharing this type of data, both Office 365 and G Suite platforms essentially state they are not PCI compliant and should not be used to transmit details associated with credit cards.
Note that Backupify is happy to sign BAAs as it relates to PCI Compliance.