I recently read an article claiming that “cloud transparency continues to be the single biggest issue hindering adoption of cloud-based services” when it comes to maintaining PCI DSS compliance in the cloud. The Search Cloud Security article said “merchants still face a wall when trying to gain visibility into cloud providers’ systems and processes.”
The article also states that most cloud-based services also actually decline to be audited and often will only accept an audit when pressure is put on by larger businesses – which begs the question, what exactly are these cloud providers trying to hide? This is still a major issue no matter what compliance or security concerns many companies have – trusting and investing in a managed hosting provider requires an open-door kind of policy.
What are the top (and, in most cases, required) ways you can ensure you have complete visibility into your PCI cloud hosting provider’s environment and not only achieve PCI compliance demands but also a peace of mind?
So these are great recommendations, but what is the actual language when it comes to third party/managed service providers (cloud hosting companies)? See below:
For service providers required to undergo an annual onsite assessment, compliance validation must be performed on all system components in the cardholder data environment.
A service provider or merchant may use a third-party service provider to store, process, or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment.
For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the assessed entity and which apply to the service provider. There are two options for third-party service providers to validate compliance:
- They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or
- If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers’ PCI DSS assessments.
And when it comes to a merchant’s own PCI Report on Compliance (ROC) and environmental reviews of managed service providers:
For managed service provider (MSP) reviews, the assessor must clearly identify which requirements in this document apply to the MSP (and are included in the review), and which are not included in the review and are the responsibility of the MSP’s customers to include in their reviews.
Merchants, do your due diligence to gain visibility into a cloud provider’s environment and ability to secure your data and applications by PCI compliant standards – and know when to seek a different provider if they refuse to comply.
Looking for more information on PCI DSS IT requirements, recommendations, and the foundation of a secure PCI compliant data center?
Download our PCI Compliant Data Centers white paper now for a complete guide to PCI hosting with IT vendors. Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.