The PCI DSS Cloud Computing Guidelines Information Supplement is the result of a pow-wow between more than 100 global organizations, representing banks, merchants, security assessors, technology vendors and cloud services providers themselves, in an attempt to identify and address the security challenges for different cloud architectures and models, and understand their PCI DSS responsibilities when implementing these solutions.
First and foremost, merchants must see payment security as a shared responsibility, the guidance recommends. Cloud computing is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting the data.
“Many merchants mistakenly believe that if they outsource everything to a cloud service provider, much of of the responsibility goes away for being PCI compliant – unfortunately, that’s simply not the case,” said Bob Russo, general manager at the PCI Security Standards Council, speaking to Infosecurity. “A merchant needs to ensure that a cloud services provider is PCI-compliant not just for its own piece, but for the entire spectrum, including what that provider is specifically doing for the merchant.”
One of the over-arching issues for merchants is getting a handle on where the data is stored. “If they’re backing up and storing card data and encrypting it – the question becomes, in how many places is it being stored?”, Russo explained. “Do you know where, and how many instances of the data there are out there?”
Making things more complex, often service providers may outsource some of the functions a merchant originally outsourced to them, making for a “nested” data environment.
“We see this all the time, where people aren’t really understanding where the data is,” Russo said. “Merchants must ask the right questions about that, and then identify the relationships that their cloud providers have in place with their own providers.”
Within the merchants themselves, ensuring compliance in a cloud environment is a shared responsibility, Russo added. “This is a function of the IT department, risk assessment groups, people doing specific due diligence, the legal department and the cloud provider, all working together,” Russo said. “It may sound like a complex endeavor, but the consequences of not doing so should far outweigh the overhead.”
One of the biggest issues when it comes to auditing cloud approaches to ensure they are PCI compliant end-to-end is the sheer variety of the model and a lack of clarity around what constitutes compliance.
“One of the aspects of the PCI cloud SIG supplement that I really appreciate is the practical security advice that goes beyond what's necessary to simply pass a PCI DSS audit,” Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage, told Infosecurity. “For example a lot of background is included to explain why legacy data center security tools, and in some cases even virtualization-based security tools, can be problematic in a public cloud environment. This solid foundation provides insight which is even beneficial to those who are not currently focused on PCI.”
The guidance includes a Cloud Overview with an explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types. That helps bring clarity to what before was filled with shades of gray, Brenton said.
“Prior to the release of this supplement, QSAs had to use the Third Parties/Outsourcing section of PCI DSS standard when performing an attestation on a cloud based environment,” said Brenton. “This left control evaluation open to the interpretation of the auditor. The problem is that different QSAs may have different opinions. The result is that one QSA may feel attestation in a cloud environment is impossible, while another feels it is possible via compensating controls. The cloud SIG supplement clearly identifies what controls are deemed acceptable, which will help to ensure consistency in audits.”
The guidance comes in at 50 pages and is broken down into units. A section titled 'Cloud Provider/Cloud Customer Relationships' outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities; and 'PCI DSS Considerations' provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.
'PCI DSS Compliance Challenges', meanwhile, describes some of the challenges associated with validating PCI DSS compliance in a cloud environment, and 'Additional Security Considerations' explores a number of business and technical security considerations for the use of cloud technologies.