Monday, February 11, 2013
The guidelines were developed by the PCI SSC's Cloud Special Interest Group (SIG). More than 100 organizations worldwide, including banks, merchants, security assessors and technology vendors, participated in the effort to identify and address the security challenges for different cloud models and explain the PCI DSS responsibilities of businesses conducting payment transactions in the cloud.
Chris Brenton, Director of Security for CloudPassage Inc., a security products provider for data centers hosting cloud servers, said, "One of cloud computing's biggest strengths is its shared-responsibility model. However this shared model can magnify the difficulties of architecting a secure computing environment." Brenton, a PCI Cloud SIG contributor, said the guidelines define the security responsibilities of the cloud provider and the cloud customer and provide a road map for creating a secure payment environment in the cloud.
The guidelines explain the typical ways cloud services are used, outline the different roles of cloud providers and customers, and explain how security responsibilities in the cloud payment environment are determined and documented. The document also includes guidance for meeting PCI DSS requirements, advice on segmentation and scoping, and information on additional compliance and security challenges encountered when conducting payment transactions in the cloud. Appendices address specific PCI DSS requirements and their implementation.
The supplement can be downloaded from the PCI Standards & Documents section of the PCI SSC's website, www.pcisecuritystandards.org . The council is also hosting a webinar Feb. 14, 2013, for people interested in learning more about the supplement.
"At the council, we always talk about payment security as a shared responsibility," Bob Russo, PCI SSC General Manager, said. "And cloud is by nature shared, which means that it's increasingly important for all parties involved to understand their responsibility when it comes to protecting this data."
CipherCloud, a cloud security company offering a cloud encryption gateway, applauded the new cloud payment security guidelines, noting that the supplement sets forth new security responsibilities for cloud customers to protect cardholder data and specifies the responsibility customers have to ensure their cloud provider properly secures payment data.
"This new guidance is an eye-opener, as it clarifies that cloud customers cannot shift responsibility to their cloud providers," CipherCloud stated in a release issued to report it has a PCI DSS compliant cloud security strategy. "Cloud customers are still responsible for ensuring their cardholder data is secure."
The company said cloud customers have three choices if they wish to remain PCI DSS compliant: encrypt the card data before sending it to the cloud; encrypt the cardholder data in the cloud (and extend the PCI DSS scope to the cloud service); or don't use the cloud for payment transactions.
Pravin Kothari, Founder and Chief Executive Officer of CipherCloud, stated, "These new PCI Cloud guidelines are very helpful. They provide very important clarifications to cloud customers as to their responsibility for protecting their cardholder data in the cloud, as well as defining clear steps for customers that have been hesitant to adopt the cloud on how to do so." 
Editor's Note:
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
