12-12-11 | Blog Post
One of the main concerns with cloud computing is security – when it comes to national industry security compliance standards such as PCI DSS or HIPAA, additional precautions must be taken in order to protect confidential data during transmission. While PCI compliance calls for very specific requirements to protect customer cardholder data, it is possible to remain compliant while using the cloud.
The PCI Security Council (PCI SSC) recently released a set of guidelines and recommendations on configuring virtualized environments to meet PCI requirements in June. The council acknowledges there is no one-size-fits-all hosting solution that allows all businesses to meet the PCI requirements, but they do address potential new risks that may be associated with virtualization technology.
According to Onestopclick.com’s article on PCI Compliance and the Public Cloud, some experts suggest using a separate secure server for transactions while using a cloud platform for other business operations. However, the PCI SSC suggests some public clouds have certain characteristics that may introduce challenges in defining scope and responsibilities when it comes to meeting PCI compliance, including the fact that the hosted entity may have limited knowledge of other tenants in their hosted environment and limited control over CHD storage. In a private cloud, dedicated hardware provides more security and control by allowing the tenant to know where their data lives.
As a result, the PCI SSC states the burden of PCI compliance falls upon the cloud provider and their own controls and assessment of their own environment’s compliance. When searching for a PCI compliant hosting provider and solution, merchants should review which controls are in place to meet the requirements, what is included in the scope of their assessment and details of what is not covered, and what is ultimately the merchant’s own responsibility.
The PCI SSC also recommends conducting a risk assessment of their virtual environments to comply with PCI standards, including the following key elements:
For more on PCI compliance, see our prerecorded PCI compliance webinar series, including a PCI overview, detailed PCI requirements and PCI penetration testing and enhancing network and application security, led by a PCI compliance expert, Adam Goslin of High Bit Security.
PCI Compliance and the Public Cloud
Information Supplement: PCI DSS Virtualization Guidelines