PCI Council Releases Guidelines for Cloud Compliance
A new set of guidelines from the PCI Security Standards Council is intended to help merchants and cloud services providers comply with the PCI DSS when handling payment card data on the web.
Thu, February 07, 2013
CIO — Cloud providers and cloud customers now have a roadmap that defines their security responsibilities in the cloud.
Since 2004, the PCI Security Standards Council (PCI SSC) has maintained the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard for the handling of payment card data.
Increasingly, organizations have taken the PCI standard as a guide for implementing security, even if they don't have responsibility for customer payment card data. But the question of whether and how PCI DSS covers cloud deployments has remained up in the air. Even Qualified Security Assessors (QSAs), individuals trained in PCI compliance auditing and consulting, had disagreements on the subject.
"It used to be that you'd get two QSAs in a room and even they would disagree about whether you could be PCI compliant in the cloud," says Chris Brenton, a PCI Cloud Special Interest Group (SIG) contributor and director of security for cloud server security platform provider CloudPassage. "Because there was no guidance and because some of PCI DSS was open to interpretation, you could get conflicting opinions."
Brenton notes that some QSAs would look at guidelines like those requiring physical network segmentation between in-scope and out-of-scope servers—written before cloud computing took off—and determine that PCI compliance in the cloud was impossible, even though compensating controls could be equivalent to physical segmentation.
Today, the PCI SSC took a big step toward easing the confusion with the release of the PCI DSS Cloud Computing Guidelines Information Supplement, detailing what is required to secure customer payment data and support PCI DSS compliance in the cloud.
"The original PCI DSS was written for a physical network, and some things really didn't apply to the cloud," Brenton says. "This new guidance has really gone through that and clarified things. It does a much better job. Now you can get two QSAs in a room and they'll actually agree on what they're saying."
The organization says merchants that use or are considering using cloud technologies in their cardholder data environment will benefit from the guidance. PCI SSC says it also provides valuable guidance to third-party service providers that provide cloud services or products and to assessors reviewing cloud environments as part of a PCI DSS assessment.
"One of cloud computing's biggest strengths is its shared-responsibility model," Brenton says.
"However, this shared model can magnify the difficulties of architecting a secure computing environment," he adds. "One of this supplement's greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With the PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud."