RSS Alerts
PCI DSS is basic information security roadmap that can be applied to the cloud environment in the same way as traditional environments

Share

More services

Related Stories

Top 5 Stories

News

PCI DSS can provide information security roadmap for cloud computing

29 November 2011

The Payment Card Industry Data Security Standards (PCI DSS) are basic information security practices that can be applied to the cloud environment in the same way as traditional environments, said Tabatha Greiner, executive consultant for global PCI quality assurance with Verizon.

Although cloud computing is not specifically mentioned in PCI DSS, the requirements can be applied to the cloud environment. PCI DSS “is not technology specific. It deals with basic information security practices which can be applied to any technology. It is flexible enough to cover cloud”, Greiner, who is a PCI Quality Security Assessor, told a recent teleconference sponsored by Verizon.

“You still have to do things like patch, you still have to ensure that your systems are hardened….Basic security principles can be applied to cloud and noncloud in the exact same way”, said Greiner.

To clarify PCI DSS application to cloud, however, the PCI council has developed a virtualization guidance and just approved the setting up a special interest group (SIG) to address specifically cloud computing. The cloud computing SIG is one of three SIGs approved earlier this month by PCI participating organizations; the other two are e-commerce security and risk assessment.

Jim Reavis, executive director of the Cloud Security Alliance (CSA), who moderated the teleconference, said that his organization has a cloud security guidance document that maps to the PCI DSS standard.

Earlier this month, the alliance released that latest version of its cloud security guidance – Version 3. CSA said that key updates in Version 3 include the following: the domains have been rewritten to emphasize security, stability, and privacy; the guidance assumes a structural maturity in parallel with multinational cloud standards development in both structure and content; the content has been expanded to include practical recommendations and requirements that can be measured and audited; and security as a service has been added as a domain.

The guidance maps to PCI DSS so that it can be used by companies that have to protect credit card information in the cloud to identify compliance gaps. “Once this gap analysis is complete, per the requirements of any regulatory or other compliance mandates, it becomes much easier to determine what needs to be done in order to feed back into a risk assessment framework. This, in turn, helps to determine how the gaps and ultimately risks should be addressed: accepted, transferred, or mitigated”, the document explained.

“It is important to note that the use of cloud computing as an operational model does not inherently provide for or prevent achieving compliance” with PCI DSS or other information security standard, it stressed.

This article is featured in:
Cloud Computing • Compliance and Policy  • Identity and Access Management  • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012