This content is part of the Essential Guide: Breaking down what's in your cloud SLA
News Stay informed about the latest enterprise technology news and product updates.

PCI DSS cloud computing guidelines strike discord among would-be adopters

If cloud security has worried you, the Payment Card Industry Security Standards Council report with PCI DSS cloud guidance might add to the confusion.

Although some experts think a recent report on cloud computing security compliance helps clarify how data can safely live in the cloud, others say it could confuse or even scare off cloud computing adopters.

The report on PCI DSS cloud computing security, written by the Payment Card Industry (PCI) Security Standards Council, could influence adopters already stymied by confusion about compliance.

There is no standard yet, and you're basically led to believe that going to the cloud is fraught with danger.

Chris Steffen,
principal technical architect, Kroll Factual Data

"Cloud computing is a form of distributed computing that has yet to be standardized," the report states in its executive summary. One expert said the report sets a dark tone from the start. "There is no standard yet, and you're basically led to believe that going to the cloud is fraught with danger," said Chris Steffen, principal technical architect at Kroll Factual Data and a Microsoft MVP on cloud and data center management.

The report also suggests that keeping credit card holder data out of the cloud completely is the most effective way to keep a cloud environment out of scope. These statements could have some inexperienced cloud computing clients and their auditors running scared, Steffen said, and might lead auditors to hatch up draconian interpretations.

"If you want a truly secure computer, take it off the network, encrypt everything, make sure you have quadruple-factor authentication to get into the thing, and then you're still only as secure as the person using it," Steffen said. Users need to balance usability with reason when it comes to computer security, he added.

The report offers matrices for delineating responsibility for elements of the PCI Data Security Standard (DSS) between cloud computing clients and cloud service providers. Even so, there still are ambiguities that will create confusion, said Carl Brooks, an analyst at Boston-based 451 Research.

For instance, Requirement 9 under PCI DSS requires that clients restrict physical access to cardholder data, "a basic PCI requirement since dinosaur times," Brooks said. The guidance simply states that the cloud service provider manages this requirement, but it depends on the particular CSP as well as the distribution of data across different locations.

"What does that actually, practically mean?" Brooks questioned. "Who is getting sued and/or arrested when cardholder data gets loose?"

Read PCI proponents' defense of the report in part two.

Beth Pariseau is a senior news writer for and Write to her at or follow @PariseauTT on Twitter.

Dig Deeper on Cloud computing SLAs

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Do you find the Security Standards Council report with PCI DSS cloud guidance helpful?