PCI And Cloud Computing: It’s All About Scope

Written by Walter Conway
March 18th, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa

If you missed the recent RSA Conference–that annual Woodstock for security professionals worldwide–all you need to do is put the words cloud, security and compliance in a sentence with just about any verb and you can pretend you were there.

The cloud is all the rage in corporate computing, and with good reason: It promises to significantly reduce your IT infrastructure investment and operating costs while improving availability. The issue for merchants is how to maintain security and validate PCI compliance in this brave new world of cloud computing. Are PCI and the cloud incompatible? Maybe the best place to start answering that question is by asking two more: What is so new about the cloud, and is it secure? But the ultimate question is, What does it do to my PCI scope?

The concept behind cloud computing is not new. It takes advantage of shared resources to give you, the user, the most bang for your computing buck. The cloud is like an updated version of 1970s timesharing, when users had dumb terminals connected over phone lines to remote mainframe computers that stored their data and applications.

The computing pendulum swung away from the centralized model toward desktop computing in the 1980s, with the acceptance of personal computers and the client/server model. With the spread of the Internet, cloud computing is moving us back to a centralized computing model–but one where the network, data and applications are all remote, that is, in the “cloud.” Other than the technology, there is not a lot new here.

If the cloud is not new, neither is the issue of security. If you consider the top security threats from cloud computing, you will find that they sound pretty familiar: improper use; insecure applications; malicious insiders; shared technology (for example, virtualization) vulnerabilities; data loss; and account hijacking. So the questions are the same. What has changed is the context.

CIOs need to assess the security of cloud packages as they evaluate what to move and when to move it to the cloud. The biggest security hurdle seems to be the transparency, interoperability and auditability of the cloud provider. That is, do you as CIO understand fully how and where your data are stored, what you will do if your cloud provider goes out of business, and whether you can adequately audit its performance?

Unfortunately, we have no reliable third-party seal of approval or assessment of cloud providers. And marketing hype is not going to fill that gap.

From a PCI compliance perspective, it all comes down to scope. That is, although the technology–primarily virtualization–may be new, the compliance concerns you need to address (see above) are the same. You need (hopefully together with your QSA) to tell the story of how you are meeting PCI requirements in the cloud.

What will you move to the cloud? It might be cardholder data, a payment application or another application that uses the cardholder data. Possibly your development system or even network will be in the cloud. Your decision will greatly determine what part of your PCI scope is in the cloud. It also helps to know what kind of cloud you are using: public, private or some combination of the two.


2 Comments | Read PCI And Cloud Computing: It’s All About Scope

  1. Cranston Snoard Says:

    Thank you, Walt! It is refreshing to read an article (and a good one at that!) that discusses cloud computing and security which doesn’t get caught up in the industry hype.

  2. Joshua Corman Says:

    One thing you didn’t cover here, but is crucial…
    Will the Cloud provider *allow* audits?

    There are cases where you cannot be compliant because they will not let you audit them – as a mater of policy. Layer 8+

    Several of the “newer” challenges are Legal/Contract/Audit issues. Hosting and CoLo give us glimpses into these challenges, but this is still a big reason why many are not yet willing to put regulated data into clouds.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.