Earlier this month PCI SSC published a new supplement, PCI DSS Cloud Computing Guidelines, and throughout the whole resource, the most reverberated point had to do with understanding the clear differences in responsibility between the merchant and the cloud service provider (CSP).
Several things are going to determine specific security responsibilities between the merchant and CSP, ranging from the type of cloud service the merchant is looking to use. Software-as-a-Service offerings are going to put more responsibility on the cloud provider than an Infrastructure-as-a-Service offering, for instance. Knowing first how the cloud is going to be used will provide a strong base for the rest of the conversation.
It’s also important to have a clear understanding of what components of PCI DSS the merchant is expecting the cloud service provider to be responsible for. This involves finding out what measures have already been verified by the CSP by receiving a copy of the provider’s ROC (Report On Compliance). The independent audit report should shed light on the steps they take to maintain PCI compliance, and can also help the merchant insure that their procedures are in accordance to the newest guidelines. Who is going to be responsible for file integrity monitoring (FIM), or a daily log review? What about disaster recovery options? A merchant can’t make assumptions about what services are going to be provided, but should have them carefully drawn out and explained so that they can properly fill the gaps.
One of the most fundamental points to remember during a conversation with a cloud service provider is that one group’s compliance does not assure the other’s. Just because a CSP is PCI compliant, doesn’t mean that working with them will automatically grant the merchant compliance. While it is a group effort between merchant and provider to address each component necessary to ensure a company’s data is secure, the responsibility to make sure everything is sufficiently accounted for is ultimately on the merchant. The importance of a company doing their due diligence before choosing a provider is paramount.
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.