Compliance is non-transferable, is the gist of the PCI SSC’s recent supplement on PCI cloud computing guidelines for merchants (e-commerce, retail, franchise, and anyone that deals with credit cardholder data). Directly referencing merchants that work with cloud service providers (CSP’s), the supplement lists a number of challenges of working with CSPs, one being important enough to single out in standard 5.1:
What does “I am PCI compliant” mean? Essentially, even if you contract with a cloud hosting provider that has successfully achieved an attestation of compliance with PCI DSS version 2.0, meaning they were independently audited and reviewed by a Qualified Security Assessor (QSA), this does not mean you as the merchant/client automatically achieves PCI compliance. A PCI cloud computing service provider can fulfill a number of the PCI technical requirements, but you still need to do due diligence to maintain your organization’s security and compliance.
The PCI SSC recognizes that attestation of compliance reflects a single point in time and that maintaining ongoing compliance requires monitoring and validation of effectual controls. The merchant is ultimately responsible for these tasks although they may be split with a CSP. One example of a validated control for a CSP is the use of updated antivirus software – although this counts for the CSP’s compliance, it might not extend to the merchant/client’s OS or VMs.
According to the council, ongoing client-side system maintenance is required for those that connect to the PCI cloud environment. The PCI cloud guide spells it out clearly:
This is why figuring out who’s responsible for what (usually both, to some degree) is important for covering all of your bases and leaving no room for compliance/security gaps. For a list of services that fulfill specific PCI requirements, read PCI Compliant Services and view a matrix of what a cloud hosting provider can offer.
Similarly, how can you validate the controls managed by your PCI cloud hosting provider? For cloud hosting providers that have undergone a PCI audit, they should be able to provide:
But what if your cloud provider has not yet undergone a PCI audit? Merchants/clients will need to include their cloud providers in their own PCI assessments and may need access to/detailed information from their cloud provider, including:
One way to save on significant audit costs, time and personnel resources is to partner with a PCI hosting provider that has already achieved an individual attestation of compliance and can provide the proper documentation to assure their own compliance.
For more about what a PCI compliant hosting provider should provide, read our PCI Compliant Hosting white paper. Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.
Information Supplement: PCI DSS Cloud Computing Guidelines (PDF)
Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?
Our PCI Compliant Hosting white paper has a complete guide to PCI hosting with IT vendors.
Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.