PCI Cloud Guidance: Private Cloud Is The Preferred Way To Go

Written by Walter Conway
February 13th, 2013

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Cloud computing is here. For merchants and service providers, the question is how best to implement the technology. The PCI Security Standards Council (PCI SSC) recently released PCI DSS Cloud Computing Guidelines, a document that has important information for any retailer or merchant looking to take advantage of the benefits from cloud computing. This document is well written, and it has a lot of details both on how cloud computing works and on how merchants can be compliant in a cloud environment.

The guidance document begins with a simple statement: “It may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or other shared cloud.” Using the phrase “particularly challenging” communicates that a merchant’s PCI compliance will be easier or harder depending on the chosen cloud deployment model.

One gem tells clients (a.k.a., merchants) they need to “obtain the details of the CSP’s [cloud service provider’s] compliance validation.” The guidance goes on to suggest merchants review “The Executive Summary and Scope of Work sections” of the CSP’s report on compliance (ROC) and the “specific components, facilities, and services that were assessed.”

Securing a copy of the current attestation of compliance (AOC) for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP’s assessment, which is not sufficiently detailed in the AOC. The special interest group (SIG) recognized this situation explicitly with its recommendation. The body of a CSP’s ROC is proprietary, and it may contain information that would not necessarily be useful or appropriate to share. But that does not have to be the case for parts of the Executive Summary and Scope of Work sections.

The Executive Summary of a ROC certainly contains proprietary information. However, the guidance advises the client and the CSP work together to provide the client with the information the client needs to be PCI compliant. Ideally, this information can be transmitted in a redacted Executive Summary (or part of it) that still defines the scope and lists the specific PCI DSS requirements assessed.

To the best of my knowledge, this is the first official guidance that tells merchants to go beyond asking for the AOC.

My experience with clients is that CSPs will share this documentation once they understand the reason, but it can sometimes take several calls and E-mails to get it. Hopefully, with the SIG’s—and maybe the PCI SSC’s—encouragement, every merchant can understand more easily what is the scope of its CSP’s PCI assessment. (Note to all merchants, whether or not you are considering cloud computing: Shouldn’t you get this same scoping detail for all your service providers?) Securing this documentation, coupled with a strong service-level agreement (SLA) as described in section 6.3.1, should give merchants increased confidence in their CSP and their own PCI DSS compliance.

This clear preference for a private cloud implementation may surprise some merchants, cloud providers and security experts. Speaking only for myself, though, I wasn’t surprised by the recommendations. This is because, like most QSAs, I have accepted that the preferred way to achieve PCI compliance in the cloud is with a private cloud. I was a little surprised, albeit pleasantly, by a number of gems tucked away inside the recommendations. Any merchant moving or planning to move its card processing to the cloud needs to digest the recommendations and some of the more subtle signals in this report.

Some cloud proponents will be disappointed in the document, but I think that is because they don’t understand the focus of the report. The guidelines are really not a generic overview of how to conduct business in the cloud. Rather, the Cloud SIG focused on how to process payment-card data in the cloud. And its conclusion is that the most practical way to be PCI compliant in the cloud is with a private cloud.

The SIG did not look at cloud computing for application development or E-mail; it looked at using the cloud to process payment-card data. Merchants can start by accepting a couple of basics about cloud computing, which, according to the guidance document, is a technology that is “yet to be standardized” and still an “evolving technology.” Some CSPs might take issue with this characterization. But from the point of view of the Cloud Computing Special Interest Group (SIG), which authored the report, it is a fair description.

The guidance makes an important distinction between cloud deployment models (private, public, community and hybrid clouds) and cloud service models (software as a service [SaaS], platform as a service [PaaS] and infrastructure as a service [IaaS]). The differences between service models are very important, because the difference in service models in particular is control (i.e., responsibility) for PCI DSS compliance between the CSP and the merchant. The differences, however, are between cloud deployment models, which are the most critical.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.