Cloud Computing: Would PCI Compliance Help or Hurt Security?

These days it’s not that great a compliment to say something’s as safe as banks, let alone credit cards or those swipe-card readers at the convenience store.

Still, the possibility—raised in the press and on user forums—that cloud security would be included in the most recent update of the ubiquitous Payment Card Industry’s Data Security Standards (PCI DSS) sparked debates on whether requirements designed to protect credit-card data would actually make cloud services less secure.

“PCI can give you a baseline of things you can use to measure security, and some people overuse it for that, according to Josh Corman, analyst at The 451 Group. “The problem is the requirements are specific, but only for the parts of your system that you use to process credit cards. If I were shot dead in an alley but the mugger couldn’t get my credit cards, the PCI standards would be satisfied.”

[ For more on the PCI standard debate with regards to cloud computing, see What’s Wrong With the PCI Security Standard. ]

Every merchant in the U.S. that accepts credit cards must comply with PCI requirements, which become more stringent as the volume of transactions rises. The rules cover 12 major categories, including encryption of credit-card data at the point of sale, during transmission to clearinghouses, and physical security of data centers where credit-card data are stored.

PCI Lacks Virtualization Specifics

Even PCI-compliant merchants don’t like the standard much, however, according to a 2009 study from the Ponemon Institute, which found only 29 percent consider it a strategic initiative. 44 percent think it improves security and 60 percent lack the budget to be fully compliant, according to Ponemon’s data.

Small- and mid-sized companies actually improve security moving to clouds, which are professionally managed and secured, concluded a September study from the Fraunhofer Institute for Secure Information Technology.

Today, there is literally no way to know if even a secure system could pass a PCI audit if it were based in a cloud, because there are no specific standards for virtual environments of any kind, Corman says.

The PCI Security Standards Council is indeed releasing updates to its standards, including more detailed guidance on how to secure contactless payments using EMV chips in credit cards.

However, the council will not offer much help defining how to secure credit-card or any other data on virtual infrastructures or cloud environments, according to Bob Russo, general manager of the council.

The council does have a group working on virtualization “of which cloud computing is one type,” but “at this time the Council does not have plans to release separate guidance on cloud computing,” Russo says in an e-mail responding to questions.

“They were supposed to cover virtualization in the last version of the standard, two years ago,” Corman says. “If they haven’t covered x86-based virtual servers yet, they’re not going to get to clouds any time soon.”

Alternative Standards

Many IT practitioners question PCI’s role in the cloud, but few doubt the need for cloud security standards. A March study by IEEE and the Cloud Security Alliance found 82 percent of IT professionals believe the need for cloud-specific security standards is urgent.

PCI is a major driver, but even non-retailers cited the ISO’s Information Security Management Standard, EU Data Privacy Legislation, and US federal regulations including Sarbanes-Oxley and HIPAA none of which have equivalents in virtual or cloud environments. The Cloud Security Alliance has issued several guidelines, including a Cloud Controls Matrix designed to help companies evaluate cloud services according to available security controls.

“If you had something like PCI for the cloud, then at least you would have a common baseline way to judge security and specific issues around protecting customer data,” says Nico Popp, vice president of product development at Verisign’s Trust and Authentication Services, which is expanding the range of its cloud-based services. “Right now no one’s certifying; everyone’s starting from scratch.”

Niche players such as Clone Systems, promise PCI compliance in private-cloud platforms.

Cloud provider Terremark says customers can locate PCI-compliant systems on its hosting service, though it doesn’t promise that explicitly with its Enterprise Cloud.

That doesn’t mean the security isn’t there, only that an undefined specification is impossible to satisfy, according to Chris Drumgoole, senior vice president of client services development for cloud provider Terremark.

So cloud providers end up listing all their certifications and security precautions in detail for customers nervous about the security of public clouds.

“The joke is that we don’t have cloud conversations with customers, we have security conversations,” Drumgoole says. “We have to make sure customers look at a cloud not as a magical thing they can move into and not worry about security. It’s infrastructure as a service, but it has to be secured just like any other infrastructure, often for higher standards than PCI HIPAA, FISMA, lots of others.”

“PCI is a pretty low bar for security, but it’s still expensive for a lot of people,” Corman says. “The cost is high enough that for many companies, compliance is where the budget ends, when it should be your minimum standard.”

Follow everything from CIO.com on Twitter @CIOonline.