With nearly every industry required to adhere to one (or more) regulatory standards, it’s no surprise that meeting compliance is such a priority. In this post, we’ll outline some challenges and suggestions on achieving PCI compliance in the cloud and where responsibility falls.
Quick recap: What is PCI?
The Payment Card Industry Data Security Standard, or PCI DSS (PCI for short) is a set of requirements created and enforced by the PCI Security Standards Council to ensure and enforce the security of credit card transactions. Anyone who accepts credit cards as a viable payment method must protect transaction information or risk fines from being in breach of compliance.
PCI compliance in cloud
Like most compliance regulations supported by a cloud provider, PCI is a shared responsibility model. That means that your provider is responsible for ensuring specific layers of the environment meet compliance, and you are responsible for specific layers. Generally speaking, you should consider data, software, user applications, operating systems, databases and the virtual infrastructure as your responsibility. Your provider will take care of the physical infrastructure (although this varies by provider, so be sure to double check).
That said, the PCI security council realizes current guidance on securing servers in cloud environments is particularly lacking – in fact, the guidelines favor virtualization rather than cloud specifically.To address this, the council has sponsored the creation of a cloud special interest group (SIG) to examine the use of cloud technologies and provide guidance on considerations for PCI DSS requirements in cloud environments.
Still, meeting PCI compliance is a process, not a checkbox, so it’s not just the infrastructure you need to measure against but rather how you deploy and run your environment on a daily basis. You don’t want to be caught unawares when it’s time to audit your environment(s) so it’s wise to check with assessors and your own peers to ensure everything is up to snuff. Achieving compliance is a continuous and complex task, and one that shouldn’t be done alone. Finding the right provider who can assure you through independent audits and reporting of their compliance with PCI (or any other regulation) can go a long way towards meeting compliance in your own right.
What have we learned?
PCI DSS is a compliance standard that outlines specific technological guidelines to protect sensitive financial data used by banking and/or financial vendors. Despite the lack of specific guidance around PCI compliance in cloud from the PCI security council, it’s more than possible to meet PCI compliance in a cloud environment through the right cloud provider. However, it’s important to remember that relying on a cloud provider with PCI-compliant infrastructure doesn’t automatically make you or your applications compliant. You’ll need to ensure your data, networking, ingress/egress transfers and OS, etc. all meet PCI standards.
Looking for a cloud provider with experience in PCI hosting? We’ll work with you to ensure every layer of the stack is compliant — not just the infrastructure. Otava has more than 25 years of history and specializes in helping organizations achieve peace of mind with their secure, compliant cloud solutions. Visit www.otava.com to learn more or contact us to get started.
Looking for more information on PCI compliant cloud hosting? Check out our white paper or see additional resources below.