Covering the latest industry trends and an excellent source of thought leadership.
Earlier this month PCI SSC published a new supplement, PCI DSS Cloud Computing Guidelines, and throughout the whole resource, the most reverberated point had to do with understanding the clear differences in responsibility between the merchant and the cloud service provider (CSP).
Several things are going to determine specific security responsibilities between the merchant and CSP, ranging from the type of cloud service the merchant is looking to use. Software-as-a-Service offerings are going to put more responsibility on the cloud provider than an Infrastructure-as-a-Service offering, for instance. Knowing first how the cloud is going to be used will provide a strong base for the rest of the conversation.
It’s also important to have a clear understanding of what components of PCI DSS the merchant is expecting the cloud service provider to be responsible for. This involves finding out what measures have already been verified by the CSP by receiving a copy of the provider’s ROC (Report On Compliance). The independent audit report should shed light on the steps they take to maintain PCI compliance, and can also help the merchant insure that their procedures are in accordance to the newest guidelines. Who is going to be responsible for file integrity monitoring (FIM), or a daily log review? What about disaster recovery options? A merchant can’t make assumptions about what services are going to be provided, but should have them carefully drawn out and explained so that they can properly fill the gaps.
One of the most fundamental points to remember during a conversation with a cloud service provider is that one group’s compliance does not assure the other’s. Just because a CSP is PCI compliant, doesn’t mean that working with them will automatically grant the merchant compliance. While it is a group effort between merchant and provider to address each component necessary to ensure a company’s data is secure, the responsibility to make sure everything is sufficiently accounted for is ultimately on the merchant. The importance of a company doing their due diligence before choosing a provider is paramount.