In this tip, the ninth in our series of technical tips on cloud security, we will focus specifically on the question of achieving Payment Card Industry Data Security Standard v1.2 (PCI-DSS) compliance using the public cloud. As a disclaimer, I should note that while I am a PCI QSA, this is my interpretation of the PCI-DSS requirements. I do not speak on behalf of the PCI Security Standards Council (PCI SSC), nor do I speak for any other assessor.
Can I be PCI compliant in a public cloud?
If you do not store or process cardholder data in a public cloud, then it is possible to reach compliance with PCI-DSS. If you do store or process cardholder data in a public cloud, however, then it is my opinion that it would not be possible to currently achieve PCI-DSS compliance.
You can achieve compliance if all you are doing is securely transmitting cardholder data over a public cloud (similar to the Internet today).
PCI-DSS compliance issues with public clouds
PCI-DSS does not address the nuances involved with cloud providers. PCI-DSS does, however, directly address shared hosting providers, and there has been guidance on Internet Service Providers (ISPs). While it is reasonable for companies to view public cloud providers in the same light as shared hosting providers, the problem is with the requirements on those providers and how current cloud providers fall short. PCI-DSS Appendix A requires that providers implement as well as prove to an assessor that:
- Each entity only runs processes that have access to that entity's cardholder data environment (A.1.1). This entails providing access to systems and proving that this isolation is indeed happening.
- Each entity's access and privileges are restricted to its own systems and data (A.1.2). Again the problem is in proving that this is happening.
- Log and audit trails exist to show access to any cardholder data (A.1.3). Access and proof are issues again, as well as problems surrounding Virtual Machine Guest images and any potential cardholder data stored in the image or memory of a suspended image.
- A process and a mechanism are provided to allow for timely forensic investigation in the event of a compromise to any other client or the provider itself (A.1.4). I do not know of any cloud provider in a position to meet this requirement.
Since there is no option in PCI-DSS for risk acceptance and 100% compliance is required, I have to conclude that you cannot be compliant in those deployments. I do think, however, that cloud providers will be making modifications to service-level agreements (SLAs) and contracts that will enable organizations to be compliant in the future; it is just not possible today.
Some may argue that compensating controls can be used to achieve compliance, but I do not believe that to be the case. Until cloud providers are willing to open up and show us (i.e., customers and auditors) what the insides look like, PCI-DSS compliance for storing and processing of cardholder data remains a pipe dream.
So what can you do? I recommend one of two things:
- Offload all payment card operations to a third party (i.e., PayPal).
- Bring the storage and processing of cardholder data onto internally controlled systems. This is basically creating a hybrid cloud.
Furthermore, you should put pressure on your cloud provider to bring about a PCI-compliant portion of their cloud. That way you can use their compliance to augment yours.
ABOUT THE AUTHOR:
Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specializes in system security and management. He is a well-known authority in the areas of system integration and security.
His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing).
Phil holds a BS in Computer Science from the College of Charleston