Evan Schuman's StorefrontBacktalk

My reading of the guidance leads to a single conclusion: The most practical way for a merchant to be PCI DSS compliant in the cloud is with a private cloud deployment. The guidance acknowledges there are alternatives, but the PCI SSC’s preference is clear. For example, in section 3.3 the guidance says, “Any cloud deployment model that is not truly private (on-premises) is by nature a shared responsibility model” and, “Even if a [merchant] does not have control over a particular layer, they may still have responsibility for configurations or settings that the CSP maintains on their behalf.”

Section 4 has some very thoughtful advice on PCI DSS responsibilities in the cloud. By stating, “Clients utilizing a public or otherwise shared cloud must rely on the CSP to ensure that their environment is sufficiently isolated from the other client environments,” the guidance reinforces the case that it will be easier to use a private cloud to protect payment-card data.

Other statements in section 4.4 reinforce the conclusion that PCI compliance is easiest in a private cloud. For example, the guidance states, “there should be guaranteed isolation of data that is stored” and client environments “must be isolated from each other such that they can be considered separate entities with no connectivity between them.” Meeting these tests with anything but a private cloud can present challenges.

The scoping guidance in section 4.5 has three recommendations: Don’t store, process or transmit payments in the cloud; implement a dedicated physical infrastructure that is used only for the in-scope cloud environment; and minimize reliance on third-party CSPs. This is scoping guidance. It does not say that merchants must use a private cloud, but it does reinforce the case that a private cloud is the preferred option.

The segmentation and scoping advice is well developed and, throughout the document, the SIG focuses on protecting the merchant. As a QSA who shares this focus, I appreciated the guidance and the perspective.

Sections of the Cloud Computing Guidelines contain a few gems that are worth particular note. For example, Section 5.1 begins with some sage advice that merchants must remember when they speak to potential CSPs: “Use of a PCI DSS compliant CSP does not result in PCI DSS compliance for the clients.” That means in cloud computing, as in any other aspect of PCI compliance, a merchant can outsource its infrastructure or management controls to a CSP, but it cannot outsource its PCI responsibility.

There is more good reading in the guidance. The individual appendices convey some important, if subtle, messages, and they reflect the experience and knowledge of the SIG participants.

For example, Appendix C, which addresses responsibilities of CSPs and clients, goes beyond the usual single column identifying which party is responsible for a particular PCI DSS requirement. It adds three more columns: one specifying the precise scope of the client’s responsibility; a second specifying the precise scope of the CSP’s responsibility; and a third asking for “how and when the CSP will provide evidence of compliance to the Client.” Appendix D could serve as a pretty good discussion guide for any merchant to use when it meets with a potential CSP. Print it out and distribute a copy in advance, both internally and to any potential CSP.

How you view the PCI DSS Cloud Computing Guidelines may depend on your particular perspective. From one QSA’s perspective, it is a thoughtful document with lots of specific advice for merchants (and service providers) moving to or contemplating a move to the cloud. The clear preference appears to be the private cloud option. And looking at cloud computing through a PCI lens, it is difficult to see things differently. But to their credit, the SIG members analyzed the alternatives and described a set of action items for merchants considering other deployment models.

Has your company explored moving some of its payment-card processing to the cloud? Did you see the relevant parts of the Executive Summary in the CSP’s ROC? And if not, how did you assess its PCI compliance as a PCI service provider? Do you have a strong SLA in place? I’d like to hear about your experiences. Either leave a comment or E-mail me.