In addition to defining PCI cloud hosting providers’ roles and responsibilities when it comes to achieving compliance in conjunction with clients/merchants, the recently released PCI DSS Cloud Computing Guidelines from the PCI Security Standards Council, also covers a few examples of compliance challenges that may arise:
Clients may have little or no visibility into the cloud service provider’s (CSP’s) underlying infrastructure and the related security controls.
Clients may have limited or no oversight or control over cardholder data storage.
Organizations might not know where cardholder data is physically stored, or the location(s) can regularly change. For redundancy or high availability reasons, data could be stored in multiple locations at any given time.
Some virtual components do not have the same level of access control, logging, and monitoring as their physical counterparts.
Perimeter boundaries between client environments can be fluid.
Public cloud environments are usually designed to allow access from anywhere on the Internet.
It can be challenging to verify who has access to cardholder data processed, transmitted, or stored in the cloud environment.
It can be challenging to collect, correlate, and/or archive all of the logs necessary to meet applicable PCI DSS requirements.
Organizations using data-discovery tools to identify cardholder data in their environments, and to ensure that such data is not stored in unexpected places, may find that running such tools in a cloud environment can be difficult and result in incomplete results. It can be challenging for organizations to verify that cardholder card data has not “leaked” into the cloud.
Many large providers might not support right-to-audit for their clients. Clients should discuss their needs with the provider to determine how the CSP can provide assurance that required controls are in place.
Check your cloud hosting provider’s PCI Report on Compliance (ROC), also known as an independent PCI audit report. Their third-party, independent PCI audit report should shed some light on their physical and network security environment. Ensure it’s up-to-date and they have achieved attestation of PCI DSS version 2.0.
Check their documented security policies and procedures, for PCI and otherwise. Not only are you trying to meet compliance, you also need to ensure their security practices are ironclad. From breach notification timelines and processes to how they handle crisis communication, PCI 12.9 requires an established incident response plan. Your cloud service provider is an integral part of that plan.
Review each component of their PCI cloud package. Not all PCI cloud solutions are alike. Review a matrix of requirements against their solution offerings to ensure that daily log review (analysis, not just event logging), disaster recovery, backup and other technical security services are available to you.
Ensure your cloud hosting provider’s employees are trained on how to comply with PCI standards. According to PCI requirements, you and ideally your cloud vendor should implement a security awareness program, educate personnel both upon hire and annually, screen potential employees, and establish a process to vet and monitor the PCI compliance of service providers regularly.
PCI Compliance Supplement Gives Tips For Merchants
Last month the Payment Card Industry Security Standards Council (PCI SSC) released their Information Supplement: PCI DSS E-Commerce Guidelines. These guidelines were focused on e-commerce merchants, and how to keep compliant whether outsourcing payment processing, keeping it in-house, or creating … Continue reading →