The PCI Security Standards Council, the payment card security standards forum based in Wakefield, Mass., has published
The PCI Data Security Standard Cloud Computing Guidelines are detailed and spell out who — client or cloud service provider — has responsibility for what types of security precautions. For instance, installing and maintaining a firewall to protect cardholder data would be a shared responsibility between client and provider under infrastructure-as-a-service and platform-as-a-service cloud configurations. But for software-as-a-service, in which the cloud provider hosts software delivered over the web, the firewall would be the sole responsibility of the provider, the PCI Council has decided.
An overarching theme of the guidelines is that users of cloud services should not lean on their cloud providers for security. "Cloud security is a shared responsibility between the cloud service provider and its clients," the report states.
"As they should, the rules put some onus on the cloud service provider and some on the client," observes Anton Chuvakin, research director at Gartner. "In general, a client has more responsibilities and the document reflects that correctly."
Many companies adopting cloud services have relied on their cloud providers to take care of PCI compliance, notes Pravin Kothari, CEO and founder of CipherCloud, a San Jose company that provides encryption for cloud computing arrangements. "This guidance is an eye opener for these people, because it clearly says that clients cannot blame cloud providers. The client is still responsible for ensuring the cardholder data is secure."
PCI DSS rules in general are intended to protect cardholder data from theft or illegal use, primarily through the use of encryption. The guidelines have evolved since the original 2004 version.
"PCI is maturing," Kothari says. "This guidance especially clears up a lot of things. I think it's a good step in the right direction."
But not everyone is a fan of the PCI Council's new guidelines. "They make sense, but they are too long and too unclear to be usable," one analyst says.
One aspect of cloud-hosted data that the rules address is cross-border data flow — the need to observe the differing data protection rules of each country a data set may pass through. "A lot of large-bank financial customers in Europe and Australia are using our software because of cross-border data flow," Kothari says. "The PCI guidance says that clients will need to verify all locations and the flow of their data to ensure compliance and meet legal obligations in each country."
The most difficult aspect of compliance for cloud client companies, according to Kothari, is that they will have to get their cloud provider certified every time they do a PCI audit. "The onerous part is that you have to now extend your audit scope to include the provider," he says. "On the other hand, if you encrypt the data before sending it to the cloud, you can solve the problem."
In Chuvakin's view, one of the most difficult requirements of the guidelines is PCI data segmentation, in which client environments are separated from one another and cardholder data environments are segregated from non-cardholder data to limit the scope of PCI compliance. Another is managing the shared responsibility between merchants and providers. A third is the need to run a PCI project on an ongoing basis, while constantly updating providers' proof of compliance.