PCI Council Releases Guidelines for Cloud Compliance

Cloud providers and cloud customers now have a roadmap that defines their security responsibilities in the cloud.

Since 2004, the PCI Security Standards Council (PCI SSC) has maintained the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard for the handling of payment card data.

Increasingly, organizations have taken the PCI standard as a guide for implementing security, even if they don't have responsibility for customer payment card data. But the question of whether and how PCI DSS covers cloud deployments has remained up in the air.

Today, the PCI SSC took a big step toward easing the confusion with the release of the PCI DSS Cloud Computing Guidelines Information Supplement, detailing what is required to secure customer payment data and support PCI DSS compliance in the cloud.

The organization says merchants that use or are considering using cloud technologies in their cardholder data environment will benefit from the guidance. PCI SSC says it also provides valuable guidance to third-party service providers that provide cloud services or products and to assessors reviewing cloud environments as part of a PCI DSS assessment.

"One of cloud computing's biggest strengths is its shared-responsibility model," says Chris Brenton, a PCI Cloud Special Interest Group (SIG) contributor and director of security for cloud server security platform provider CloudPassage.

"However, this shared model can magnify the difficulties of architecting a secure computing environment," Brenton says. "One of this supplement's greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer. With the PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud."

The new guidelines build on the work of the 2011 Virtualization SIG, but also draw from other industry standards. PCI SSC says it will help organizations with the following:

  • Cloud overview. The supplement provides an explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.
  • Cloud provider/cloud customer relationships. The supplement outlines different roles and responsibilities across different cloud models and provides guidance on determining and documenting the responsibilities.
  • PCI DSS considerations. The supplement provides guidance and examples to help organizations determine responsibilities for individual PCI DSS requirements, including segmentation and scoping considerations.
  • PCI DSS compliance challenges. The supplement describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.

In addition, PCI SSC says the document also includes a number of appendices that address specific PCI DSS requirements and implementation scenarios, including additional considerations to help determine PCI DSS responsibilities across different cloud service models; sample system inventory for cloud computing environments; a sample matrix for documenting how PCI DSS responsibilities are assigned between the cloud provider and client; and a starting set of questions that can help determine how PCI DSS requirements can be me in a particular cloud environment.

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com

Read more about compliance in CIO's Compliance Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags compliancecloud securityIT Organizationcloud computinginternetdata protectionPCI DSSPCIIT Organization | CompliancestandardssecurityCloud

More about FacebookIT SecurityMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts