Is PCI compliance attainable in a public cloud?

Can I be PCI compliant in a public cloud?
If you do not store or process cardholder data in a public cloud, then it is possible to reach compliance with PCI-DSS. If you do store or process cardholder data in a public cloud, however, then it is my opinion that it would not be possible to currently achieve PCI-DSS compliance.

RELATED CONTENT Cloud computing standards and compliance Google Apps gets FISMA-certified for government work Security issues in cloud computing Did Google oversell itself to the City of L.A.? U.S. piracy crackdown fuels cloud security concerns CloudAudit goes to 1.0 with new API standards Amazon.com attempts IT switch to cloud computing Nasuni offers bounty to break encryption in the cloud Can cloud computing be trusted yet? Top cloud computing leaders: Jim Reavis Understanding security in the cloud Data security in the cloud Eli Lilly-Amazon Web Services story still stands Swiss cloud provider unveils FTP in the cloud Eli Lilly-Amazon Web Services relationship derailed Security issues in cloud computing Cloud security fears delay L.A. deal with Google Should you move your antivirus protection to the cloud? U.S. piracy crackdown fuels cloud security concerns Indian ISP launches consumer cloud Aviation industry avoids the public cloud Nasuni offers bounty to break encryption in the cloud Cloud strategy Five open source tools for building and managing clouds The building blocks of private cloud Adopting a private cloud strategy From private cloud to hybrid cloud: Six things to consider Intrusion detection in a cloud computing environment Want to build a private cloud? Understanding cloud compliance issues Securing data in the cloud Protecting IaaS from domain name system threats Dealing with IaaS remote management security threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cloud cartography  (SearchCloudComputing.com) cloud computing  (SearchCloudComputing.com) CloudAV  (SearchCloudComputing.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

You can achieve compliance if all you are doing is securely transmitting cardholder data over a public cloud (similar to the Internet today).

A note on PCI-DSS compliance rules: If you have a contractual obligation to comply with PCI-DSS, then you have to comply with 100% of it. PCI-DSS requires ongoing compliance, but only requires you "prove" it annually (a.k.a. validation). The specifics of what you have to do to validate your compliance will vary based on the volume of transactions you process and what type of entity you are (i.e., merchant versus service provider). An important point to consider is that even though a smaller merchant has much less stringent validation requirements than a large merchant (i.e., a self-assessment versus a third party on-site assessment), you will be viewed with the same compliance microscope in the event of a breach.

PCI-DSS compliance issues with public clouds
PCI-DSS does not address the nuances involved with cloud providers. PCI-DSS does, however, directly address shared hosting providers, and there has been guidance on Internet Service Providers (ISPs). While it is reasonable for companies to view public cloud providers in the same light as shared hosting providers, the problem is with the requirements on those providers and how current cloud providers fall short. PCI-DSS Appendix A requires that providers implement as well as prove to an assessor that:

• Each entity only runs processes that have access to that entity's cardholder data environment (A.1.1). This entails providing access to systems and proving that this isolation is indeed happening.
• Each entity's access and privileges are restricted to its own systems and data (A.1.2). Again the problem is in proving that this is happening.
• Log and audit trails exist to show access to any cardholder data (A.1.3). Access and proof are issues again, as well as problems surrounding Virtual Machine Guest images and any potential cardholder data stored in the image or memory of a suspended image.
• A process and a mechanism are provided to allow for timely forensic investigation in the event of a compromise to any other client or the provider itself (A.1.4). I do not know of any cloud provider in a position to meet this requirement.

Since there is no option in PCI-DSS for risk acceptance and 100% compliance is required, I have to conclude that you cannot be compliant in those deployments. I do think, however, that cloud providers will be making modifications to service-level agreements (SLAs) and contracts that will enable organizations to be compliant in the future; it is just not possible today.

Conclusion
Some may argue that compensating controls can be used to achieve compliance, but I do not believe that to be the case. Until cloud providers are willing to open up and show us (i.e., customers and auditors) what the insides look like, PCI-DSS compliance for storing and processing of cardholder data remains a pipe dream.

So what can you do? I recommend one of two things:

• Offload all payment card operations to a third party (i.e., PayPal).
• Bring the storage and processing of cardholder data onto internally controlled systems. This is basically creating a hybrid cloud.

Furthermore, you should put pressure on your cloud provider to bring about a PCI-compliant portion of their cloud. That way you can use their compliance to augment yours.

PHIL COX'S BIO:

Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security. His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing). Phil holds a BS in Computer Science from the College of Charleston.

Rate this Tip To rate tips, you must be a member of SearchCloudComputing.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.