Tip

Is PCI compliance attainable in a public cloud?

In this tip, the ninth in our series of technical tips on cloud security, we will focus specifically on the question of achieving Payment Card Industry Data Security Standard v1.2 (PCI-DSS)

    Requires Free Membership to View

compliance using the public cloud. As a disclaimer, I should note that while I am a PCI QSA, this is my interpretation of the PCI-DSS requirements. I do not speak on behalf of the PCI Security Standards Council (PCI SSC), nor do I speak for any other assessor.

Can I be PCI compliant in a public cloud?
If you do not store or process cardholder data in a public cloud, then it is possible to reach compliance with PCI-DSS. If you do store or process cardholder data in a public cloud, however, then it is my opinion that it would not be possible to currently achieve PCI-DSS compliance.

You can achieve compliance if all you are doing is securely transmitting cardholder data over a public cloud (similar to the Internet today).

PCI-DSS compliance issues with public clouds
PCI-DSS does not address the nuances involved with cloud providers. PCI-DSS does, however, directly address shared hosting providers, and there has been guidance on Internet Service Providers (ISPs). While it is reasonable for companies to view public cloud providers in the same light as shared hosting providers, the problem is with the requirements on those providers and how current cloud providers fall short. PCI-DSS Appendix A requires that providers implement as well as prove to an assessor that:

  • Each entity only runs processes that have access to that entity's cardholder data environment (A.1.1). This entails providing access to systems and proving that this isolation is indeed happening.
  • Each entity's access and privileges are restricted to its own systems and data (A.1.2). Again the problem is in proving that this is happening.
  • Log and audit trails exist to show access to any cardholder data (A.1.3). Access and proof are issues again, as well as problems surrounding Virtual Machine Guest images and any potential cardholder data stored in the image or memory of a suspended image.
  • A process and a mechanism are provided to allow for timely forensic investigation in the event of a compromise to any other client or the provider itself (A.1.4). I do not know of any cloud provider in a position to meet this requirement.

Since there is no option in PCI-DSS for risk acceptance and 100% compliance is required, I have to conclude that you cannot be compliant in those deployments. I do think, however, that cloud providers will be making modifications to service-level agreements (SLAs) and contracts that will enable organizations to be compliant in the future; it is just not possible today.

Conclusion
Some may argue that compensating controls can be used to achieve compliance, but I do not believe that to be the case. Until cloud providers are willing to open up and show us (i.e., customers and auditors) what the insides look like, PCI-DSS compliance for storing and processing of cardholder data remains a pipe dream.

So what can you do? I recommend one of two things:

  • Offload all payment card operations to a third party (i.e., PayPal).
  • Bring the storage and processing of cardholder data onto internally controlled systems. This is basically creating a hybrid cloud.

Furthermore, you should put pressure on your cloud provider to bring about a PCI-compliant portion of their cloud. That way you can use their compliance to augment yours.

ABOUT THE AUTHOR:
 

Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security.

His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing).

Phil holds a BS in Computer Science from the College of Charleston

This was first published in February 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.