Payment Card Industry clears up confusion over cloud use

The Payment Card Industry Security Standards Council (PCI SSC) has published guidelines for using the cloud for credit card processing, ending the guesswork that has plagued merchants and cloud providers.

The PCI SSC introduced its Data Security Standards (DSS) for the cloud Thursday. The guidelines are expected to clear up the confusion that resulted from auditors giving different interpretations in applying pre-cloud standards to the modern computing platform.

The original PCI DSS guidelines and standards covered physical servers that a merchant, such as Home Depot, would have in its data center. Those guidelines became only marginally effective once merchants started moving their servers to infrastructure-as-a-service (IaaS) providers, such as Amazon and Rackspace, where multiple servers, each belonging to a different company, runs on a single computer.

The new guidelines make clear the responsibilities of merchants and cloud service providers. For example, the latter must show that it keeps clients' data in its own silo, but merchants are responsible for encryption and having proper login credentials for accessing the data. Other merchant responsibilities include server configurations and software patching.

In the absence of guidelines, merchants assumed that the cloud service provider satisfied many of the PCI requirements.

"As folks move into the cloud, they think they are getting a little bit of a get out of jail card and they can just say, 'the cloud provider will take care of all that,'" said Chris Brenton, director of security at CloudPassage and a member of the PCI group that drew up the guidelines. "One of the things this guidance is very clear on is no, you will always have some level for making sure that credit-card information stays secure."

[Also see: A tale of two PCI security audits]

The guidelines establish PCI-defined best practices for using the cloud for credit card processing. Depending on the circumstances, companies will decide to go beyond the requirements. For example, a large company more susceptible to sophisticated cyberattacks may add layers of security beyond what's required.

"One of the problems with the PCI DSS is that it's trying to be kind of a one size fits all and every environment is a little different," Brenton said.

For large corporations and financial institutions, the next step will be having the guidelines for cloud environments incorporated in the software they use to set policies for maintaining compliance, said Michael Versace, an analyst for IDC.

Connecting so-called governance, risk management and compliance (GRC) systems to the cloud would provide a "clearer, maybe more current, picture of how well a cloud service provider might be complying with a set of standards, like the PCI security standards."

Overall, PCI compliance has reduced risk. A 2011 study by The Ponemon Institute found 64% of compliant organizations reported no breaches involving credit card data over two years versus only 38% of non-compliant organizations.

Read more about pci and compliance in CSOonline's PCI and Compliance section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritycloud securitysoftwaredata protectionPCI DSSData Protection | PCI and ComplianceCompliance monitoringrackspace

More about Amazon Web ServicesHome DepotIDC AustraliaRackspace

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place