On February 26th, Adam Goslin, COO of High Bit Security, joined us for the webinar Updates to PCI-DSS Compliance for E-Commerce and Cloud Computing Security. In the hour-long discussion Adam really dug into the specifics of the supplements that came out thus far this year from the PCI-SSC (Payment Card Industry Security Standards Council). If you weren’t able to join us, here’s a recap highlighting some of the points Adam felt were most important to address.
The most fundamental and important point, to me, was that there is no option that completely removes a merchant’s PCI compliance responsibilities. Even using a third party processor, while greatly reducing how much of your environment is in scope, does not totally absolve you from being ultimately responsible for compliance.
Another overarching point was that there are no one-size-fits-all methods to get compliant. This is a process that takes teamwork from both the vendor and the merchant, and Adam gave the pretty direct advice to stay away from any company whose applications or services are touting the ability to make an enterprise totally compliant without any legwork from the merchant. They may be able to help, or take on much of the responsibility in the partnership, but there will still be pieces that the merchant controls and monitors.
When speaking about the supplement specific to cloud service providers (CSPs), he broke down the three general service models (IaaS, PaaS, SaaS) and the responsibilities shared between cloud service provider and merchant for each one:
This service model requires the CSP to handle most of the requirements for compliance. Both the cloud service provider and the merchant will be responsible for securing the systems, restricting access to a need-to-know protocol, and producing unique IDs for each employee. Everything else will be handled by the CSP for the other points within the PCI DSS.
For this model, the service provider will need to handle the entire physical environment, and the remainder of the responsibilities will be split between the two parties.
For PCI compliant IaaS services, a merchant can generally expect to be responsible for their encryption and anti-virus. A CSP will take care of the physical environment (the system cooling, controlled physical access and so forth), and the rest will be combined effort to address.
Adam stresses after explaining this breakdown, the importance of sitting down with the CSP before contracting with them, and determining exactly what responsibilities are delegated where:
“You need to evaluate that cloud service provider’s offering, and ultimately the merchant is responsible for their PCI compliance. Now, one way for those merchants to mitigate some of those responsibilities is to have written agreements with their cloud service providers, and make sure there’s a clear definition of responsibility as far as what it is the client is going to be responsible for, as well as what the cloud service provider is going to be responsible for.”
Lastly, Adam gave a list of recommendations. Here are a few:
You can watch the whole webinar here if you’re interested in getting more in-depth on the different e-commerce payment card processing options available or if you still have questions about how to work with a cloud hosting provider.