PCI Compliance in the Cloud

The PCI Security Standards Council recently released its PCI DSS Cloud Computing Guidelines Information Supplement, which explains how organizations can utilize cloud services and still be PCI compliant. The document offers useful explanations and diagrams illustrating how security, responsibility and control are shared by cloud providers and their customers.

The Payment Card Industry (PCI) Data Security Standard (DSS), mandated by Visa, MasterCard and other card issuers, requires “all merchants with internal systems that store, process or transmit cardholder data” to comply with data protection measures and submit to security audits. Under the rules, companies must protect cardholder transaction data through logical and physical access controls, activity monitoring and logging, encryption, and regular network scans. Unlike many security standards, PCI DSS offers fairly specific definitions of these security requirements.

The PCI DSS Cloud Computing Guidelines Information Supplement provides explanations of common deployment and service models for cloud environments and how implementations may vary within the different types. It further outlines roles and responsibilities across the various cloud models and offers guidance on how to determine and document responsibilities for individual PCI DSS requirements. The document also describes some of the challenges associated with validating PCI DSS compliance in a cloud environment, and explores a number of business and technical security considerations for the use of cloud technologies.

The biggest issue with PCI compliance in the cloud is the sharing of responsibility — many data protection measures involve both the merchant and the cloud provider. The service provider would likely be responsible for securing the overall infrastructure but the merchant would have to ensure that the data within its environment is protected. As a result, compliance must be evaluated from both sides, and the cloud provider must be involved in the PCI audit process.

This sharing of responsibilities makes PCI compliance both harder and easier. Another party is involved, yes, but if the cloud provider is PCI compliant many of the data protection measures are already in place. Atlantic-IT.net’s Infrastructure-as-a-Service offering is built upon the industry’s first PCI DSS 2.0 Level 1 Service Provider certified cloud computing platform. It couples a custom PCI-certified cloud infrastructure with a suite of managed security services to enable PCI compliance.

Too busy running your business to learn about PCI DSS compliance in the cloud? The experts at Atlantic-IT.net are here to help. We can offer guidance in determining what cloud solutions make sense for your business, and help ensure that the cardholder data you are responsible for protecting remains secure.