Although cloud computing is not specifically mentioned in PCI DSS, the requirements can be applied to the cloud environment. PCI DSS “is not technology specific. It deals with basic information security practices which can be applied to any technology. It is flexible enough to cover cloud”, Greiner, who is a PCI Quality Security Assessor, told a recent teleconference sponsored by Verizon.
“You still have to do things like patch, you still have to ensure that your systems are hardened….Basic security principles can be applied to cloud and noncloud in the exact same way”, said Greiner.
To clarify PCI DSS application to cloud, however, the PCI council has developed a virtualization guidance and just approved the setting up a special interest group (SIG) to address specifically cloud computing. The cloud computing SIG is one of three SIGs approved earlier this month by PCI participating organizations; the other two are e-commerce security and risk assessment.
Jim Reavis, executive director of the Cloud Security Alliance (CSA), who moderated the teleconference, said that his organization has a cloud security guidance document that maps to the PCI DSS standard.
Earlier this month, the alliance released that latest version of its cloud security guidance – Version 3. CSA said that key updates in Version 3 include the following: the domains have been rewritten to emphasize security, stability, and privacy; the guidance assumes a structural maturity in parallel with multinational cloud standards development in both structure and content; the content has been expanded to include practical recommendations and requirements that can be measured and audited; and security as a service has been added as a domain.
The guidance maps to PCI DSS so that it can be used by companies that have to protect credit card information in the cloud to identify compliance gaps. “Once this gap analysis is complete, per the requirements of any regulatory or other compliance mandates, it becomes much easier to determine what needs to be done in order to feed back into a risk assessment framework. This, in turn, helps to determine how the gaps and ultimately risks should be addressed: accepted, transferred, or mitigated”, the document explained.
“It is important to note that the use of cloud computing as an operational model does not inherently provide for or prevent achieving compliance” with PCI DSS or other information security standard, it stressed.