Cloud Computing: Would PCI Compliance Help or Hurt Security?

Can cloud computing environments meet PCI compliance standards? Security experts say they can't answer that question yet. But the bigger question is whether meeting PCI standards would actually improve cloud security.

By Kevin Fogarty
Thu, June 10, 2010

CIO — These days it's not that great a compliment to say something's as safe as banks, let alone credit cards or those swipe-card readers at the convenience store.

Still, the possibility—raised in the press and on user forums—that cloud security would be included in the most recent update of the ubiquitous Payment Card Industry's Data Security Standards (PCI DSS) sparked debates on whether requirements designed to protect credit-card data would actually make cloud services less secure.

"PCI can give you a baseline of things you can use to measure security, and some people overuse it for that, according to Josh Corman, analyst at The 451 Group. "The problem is the requirements are specific, but only for the parts of your system that you use to process credit cards. If I were shot dead in an alley but the mugger couldn't get my credit cards, the PCI standards would be satisfied."

[ For more on the PCI standard debate with regards to cloud computing, see What's Wrong With the PCI Security Standard. ]

Every merchant in the U.S. that accepts credit cards must comply with PCI requirements, which become more stringent as the volume of transactions rises. The rules cover 12 major categories, including encryption of credit-card data at the point of sale, during transmission to clearinghouses, and physical security of data centers where credit-card data are stored.

PCI Lacks Virtualization Specifics

Even PCI-compliant merchants don't like the standard much, however, according to a 2009 study from the Ponemon Institute, which found only 29 percent consider it a strategic initiative. 44 percent think it improves security and 60 percent lack the budget to be fully compliant, according to Ponemon's data.

Small- and mid-sized companies actually improve security moving to clouds, which are professionally managed and secured, concluded a September study from the Fraunhofer Institute for Secure Information Technology.

Today, there is literally no way to know if even a secure system could pass a PCI audit if it were based in a cloud, because there are no specific standards for virtual environments of any kind, Corman says.

The PCI Security Standards Council is indeed releasing updates to its standards, including more detailed guidance on how to secure contactless payments using EMV chips in credit cards.

However, the council will not offer much help defining how to secure credit-card or any other data on virtual infrastructures or cloud environments, according to Bob Russo, general manager of the council.

The council does have a group working on virtualization "of which cloud computing is one type," but "at this time the Council does not have plans to release separate guidance on cloud computing," Russo says in an e-mail responding to questions.

Continue Reading

White Papers »
Cloud-Scale Networks Using Open Fabric Architectures
Virtualization and cloud are driving new requirements for data center network performance, VM support, automation and simplified orchestration. This paper outlines Extreme Networks® open fabric approach to high speed, low latency networks for modern data centers.
IBM Synchronizes its Commerce 2.0 Strategy with 'Smarter Commerce' Initiative
On March 14, IBM announced "Smarter Commerce", a strategic initiative that addresses the surging market for Commerce 2.0 solutions that take advantage of the convergence of a number of disruptive software and hardware technologies.
HP Converged Storage Sets the Stage for the Next Era of Computing
Enterprise storage has undergone many changes in recent years - with converged storage and infrastructure 2.0 paving the way for reduced IT infrastructure costs and greater performance. This report discusses the latest trends that are setting the stage for the next era of computing. Learn about the new infrastructure and storage trends that are changing the way business storage works today.
The Best Way to Build a Cloud
In most companies, the needs of the business are outpacing what IT can deliver. Technology is the foundation and enabler of business innovation, but developing and implementing new solutions is resource-intensive. Integrating and optimizing islands of IT is complex, time-consuming and costly.

However, implementing a private cloud can be complex and daunting. HP's solution, CloudSystem Matrix, helps you build a turnkey private cloud environment to deliver the benefits of the cloud to your business users. Read now to find out how the HP CloudSystem Matrix can enable you to move quickly to a private cloud model.
HP CloudSystem Matrix: Building a Private Cloud
Cloud computing continues to grow in popularity among the IT industry. And more businesses are advertising that they are the front runner for providing the best cloud services. However, in this race to remain top dog, IT pros remain unsure of what cloud computing is and the benefits it can bring to their organization.
HP CloudSystem Matrix: Managing at a Higher Level
This white paper examines IT management challenges from a fundamental and system standpoint. In addition, it introduces the concept of a service-oriented and automated approach to IT management.
Webcasts »
Optimizing Networks for the Cloud
Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and enterprise campus network infrastructures for the Cloud, and identify ways to better allocate network resources, reduce operating costs and improve application performance.
Deliver Private Cloud Database as a Service with VMware vFabric Data Director
VMware recently announced VMware vFabric™ Data Director, a new database deployment and operations platform that enables enterprise IT organizations to offer database as a private cloud service. Built on top of VMware vSphere 5, vFabric Data Director enables IT organizations to ontrol database sprawl through automation and consistent policy enforcement and accelerate application development cycles with self-service database management. Attend this webcast to learn how vFabric Data Director can help you build database-as-a-service in your datacenter.
Navigating the Public Cloud
InfoWorld contributing editor and consultant David Linthicum offers expert advice about choosing services to outsource to the public cloud providers, cloud data security and identity, integrating public cloud services, and how to avoid provider lock-in.
Today's Flexible Workstyles: Get Ready Now with Windows 7 Enterprise
In this exclusive Virtual Briefing Center session from Microsoft and IDG, you'll discover how deploying Windows 7 Enterprise now will help you take advantage of this new environment. Learn through a series of videos, audio webinars and rich downloadable resources how to power today's flexible workstyles with Windows 7 Enterprise.
Taming the Wild West: How to build a strong cloud security strategy
Cloud deployments are playing a critical role in propelling innovation for many companies. At the same time security has become the #1 one of the top concerns for IT and business leaders as they migrate into the cloud. In this webinar, learn from Accenture discusses how to recast the cloud as a "fresh chance to rethink your approach to security."
Virtualization Success is a Team Effort
As greater numbers of datacenter servers transition from the physical to the virtual world, the components of virtualization success come to the fore. What scores of organizations have discovered is that success is derived from an optimal pairing of the right software platform with the right hardware platform.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

Cloud-Scale Networks Using Open Fabric Architectures

IBM Synchronizes its Commerce 2.0 Strategy with 'Smarter Commerce' Initiative

HP Converged Storage Sets the Stage for the Next Era of Computing

The Best Way to Build a Cloud

HP CloudSystem Matrix: Building a Private Cloud

HP CloudSystem Matrix: Managing at a Higher Level

Five Myths of Cloud Computing

TechRepublic: Cloud Computing - Potential Value for Your Company?

Forbes: Enterprises Set Their Strategies for Cloud Computing

HBR: What Every CEO Needs to Know About the Cloud

Modernizing Application Platforms for Cost-Effective Cloud Readiness

Licensing for SaaS Applications: ISVs Take to the Cloud

Driving Business Value with VBlock Infrastructure Platforms

The Journey to the Private Cloud

Colocation: The Logical Home for the Cloud

Microsoft Enterprise Agreement Program Overview

Microsoft Enterprise Agreement Program Brief

Secure File Sharing in the Cloud: Maximizing the Benefits

Beyond Dropbox: Requirements for Enterprise Secure File Sharing

Seeing Through the Fog: Managing Application Performance in the Cloud
Resource Center
buy a link »
Ads by TechWords