The PCI SSC Latin American Forum, an online event took place this week with more than 1,100 payment security practitioners from Latin America discussing the latest in payment security and standards. Here we talk with Carlos Caetano, PCI Security Standards Council Associate Director, Latin American Region for Brazil, Elder Vinicius Telles de Arruda, Information Security Manager, Getnet; Enildo Barros, IT Services Head, C6 Bank and Ricardo Nilsen Moreno, Information Security Superintendent, Banco Safra about cloud security trends, highlights from the Latin American Forum (LAF) and industry involvement opportunities for the region.
Why did the PCI SSC hold this online forum?
Carlos Caetano: It is amazing how time flies. This was our 5th annual Latin America Forum. Our first three were in-person events but the last two years were moved online due to the COIVD-19 pandemic. We host this event every year in order to bring together payment security experts and stakeholders to discuss security standards and programs, the latest security trends and threats, and to network among our industry. This year’s event was once again a terrific success.
Speaking of trends, cloud security has become a significant growth area as more and more organizations rely on cloud services. What changes have you seen to cloud over the past 5 years?
Carlos Caetano: The use of cloud computing services has exploded in recent years in Brazil and around the world and is expected to continue expanding in the near future. Cloud computing has the potential to help organizations to reduce IT complexity and costs while increasing agility. In the payment’s world, many organizations have had to reinvent themselves and adapt to remote transactions and the world of e-commerce. This has resulted in an upward surge in the use of cloud computing services as well as security concerns associated with using the cloud.
The PCI SSC just recently put together an industry bulletin with the Cloud Security Alliance (CSA) on the importance of properly scoping for cloud environments. The Importance of Properly Scoping Cloud Environments.
Elder Vinicius Telles de Arruda: I believe that the big cloud players are working very hard on compliance, standards, frameworks, and good security practices. All of this has made it easier to adopt the cloud in services in any industry, especially the payment methods industry. This has supported the transformation of those who want to migrate the on-premises module for the cloud security environment.
Enildo Barros: In the past few years, cloud services are increasingly being developed to be more reliable. We continue to see an advance in the presence of cloud services providers which is a trend I think will continue for years to come because of their potential to furnish services that help consumers and businesses alike.
Ricardo Nilsen Moreno: I think the word is maturity. Cloud services have really matured in the past 5 years which is why we have seen such a giant growth in this area, especially in relation to information security. I think confidence in security controls among the major cloud players has significantly grown in recent years.
What are the main points that an organization needs to consider when implementing a 100% cloud environment?
Ricardo Nilsen Moreno: I think it is very important for an organization to consider security costs early on when think about moving to a 100% cloud environment. Make sure the costs are all being considered from the beginning. I would also recommend that organizations fully understand their roles and responsibilities when migrating to the cloud. Finally, organizations need to prepare their response teams, so they are reliable when responding to an incident.
Enildo Barros: Step one is to understand cloud and that means assembling a capable team. When implementing a 100% cloud environment, having the right professionals involved is critical to success. It is also important to understand what services are available and what services are most important to your organization. Lastly, know what certifications your cloud service providers have. Proper vetting of your cloud service provider is fundamental and is a responsibility to be taken seriously.
Elder Vinicius Telles de Arruda: A consistent risk analysis is important and putting in place information security and security controls is fundamental. Disaster recovery strategies is critical to maintain the continuity of a business. Cloud players should provide robust documentation and advisory support. Security governance with monitoring and threat indicators is also a good idea.
What is the future of cloud and payments?
Elder Vinicius Telles de Arruda: I believe there will be a big convergence of cloud services with the payments industry. The evolution we have seen in recent years demonstrates more reliability on cloud services. There are many opportunities to explore the benefits of cloud security features for businesses. The adoption of cloud services in line with cloud security will play a major role in the future of payments.
Enildo Barros: The agility and reach of utilizing cloud services mean that the use of cloud will continue to grow and grow. I believe we will continue to look at architectures that further explore cloud resources. I think everyone has a lot invested in the scalability and security of cloud. Everyone in this space will keep working together and cloud services will continue to grow moving forward.
Ricardo Nilsen Moreno: We will continue to grow on a learning curve. It seems like every day there is news of a new payment method that uses some new way to make a transaction easier for the consumer. That requires agility and cloud services will likely play a major role in helping businesses achieve that.
A key theme of the Latin America Forum was working to increase industry participation from Brazilian stakeholders in the PCI Security Standards Council. What are some of the key opportunities for involvement?
Carlos Caetano: Our Participating Organizations (PO) program is a terrific starting point for organizations who want to be a part of the payment security community. Being a PO allows an organization to collaborate with others in the payment industry and have a voice in the development of our standards and programs. The heart of the PCI SSC mission is bringing together payment industry stakeholders to develop and drive implementation of data security standards and resources. For more information about becoming a PO please visit:
Also, Participating Organizations are eligible for nomination and membership on our Regional Engagement Board (REB). The REB brings together leaders in the Brazilian payments industry to share their knowledge and local understanding of the payments space in Brazil and throughout the region. 2021 is the year for POs to nominate themselves for service on the 2022-23 REB term. The nominating period will launch in November.
Finally, the PCI SSC will have eLearning trainings for our Internal Security Assessor (ISA) training programs in both Portuguese and Spanish later this year. The Portuguese ISA training will take place on Oct 20, 2021, and the Spanish version will be held on November 10, 2021. For more information please visit: