The Green Sheet Online Edition
May 13, 2013 • Issue 13:05:01
The new PCI SSC guidelines: Separating the cloud from the fog
Editor's Note: This article is a response to "PCI SSC releases cloud guidelines," a story we posted online Feb. 11, 2013, under Breaking News. It can be found at www.greensheet.com/breakingnews.php?flag=breaking_news&id=1097.
As most of us know, the PCI Security Standards Council (PCI SSC) released a revised set of guidelines on payment card security standards earlier this year, including Payment Card Industry (PCI) Data Security Standard (DSS) guidelines for cloud computing. Intended to help both businesses looking for safe cloud solutions and providers looking to protect customer data, some of the recommendations took providers by surprise - particularly those that recommended e-commerce companies not store, process or transmit payment card data in the cloud.
The three suggestions that stood out included:
- Separating payment card data from the cloud (thereby eliminating the need for PCI DSS controls)
- Implementing a dedicated physical infrastructure used only for the in-scope cloud environment
- Minimizing reliance on third-party providers for protecting payment card data
For more details, see Section 4.5 of the PCI DSS Cloud Computing Guidelines at www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf.
Of course, the reality is that plenty of businesses and consumers are already operating in the cloud - and they show no signs of turning their backs on the flexibility, scalability and cost benefit it offers. From mobile banking to Internet shopping, commerce as we know it seems inseparable from the cloud. So is the cloud an inherently unsafe place for customer payment data? Or are the new PCI SSC guidelines off base?
Security standards for cloud challenges
The truth is somewhere in between. With the right skills and technologies, the cloud can indeed be engineered to keep data secure. Security challenges exist, yes, but merchants can overcome them by working with a cloud service provider (CSP) who knows how to optimize security and deliver a service model that fits their risk and security profile.
Let's start with PCI's most useful guidelines. Most businesses operating in the e-commerce space can agree that caution and responsibility are always appropriate when it comes to guarding payment data. The following recommendations are smart standards that all merchants and providers should consider.
- Clarity: This right here can determine the success and security of the merchant-provider relationship. The responsibilities for security, operations, management and reporting - everything, really - need to be clearly delineated and documented. Cloud services differ; merchants can't afford to make assumptions about who's responsible for system components and requirements. A good provider will spell all of this out in detailed contracts, be they memoranda of understanding, service-level agreements or terms of service contracts.
- Transparency: Clients must have a clear grasp of the providers' infrastructure, data storage and security controls; they should also be informed of any third-party relationships with the power to impact the security of their environments. A good provider will be able to prove it is successfully managing requirements, and provide evidence of such. And it should go without saying that a trustworthy provider should be audit-friendly.
- Strength: The provider must erect safe and strong perimeters between client environments, as well as between its own environment and that of its clients. When it comes to segmentation, fluid boundaries fall short of the necessary security requirements.
- Communication: Sharing risk management and compliance can get murky in cloud environments, which makes two-way communication essential. Clients need to be kept informed of any cloud issues, while providers need to be told about any client issues that could potentially affect their service.
- Responsibility: Even though clients have outsourced control of their data environment management, they must remember that they're still responsible for the data itself.
- Validation: This sounds simple on the surface; some providers have been validated as meeting a particular level of PCI DSS compliance and some have not. Obviously, clients should work with "validated" providers. But to ensure their particular service is covered, they should go beyond that and into the details of the compliance validation, checking what services, facilities, components and PCI DSS requirements were addressed.
Smart solutions for a secure environment
Now let's move on to a few points where the PCI SSC guidelines missed the mark. While all of the security
measures proffered by the council are practical and well-founded, the fact is that some providers have already created solutions aimed at protecting payment data and addressing those concerns. These include:
- Well-defined boundaries to meet segmentation and isolation recommendations for perimeters between merchants, and between merchants and provider systems.
- Ability to ensure data sovereignty. While the new PCI SSC recommendations mention providers' need to update their risk strategies and security mechanisms to guard data, some providers have already implemented technologies and safeguards to guarantee data sovereignty for their customers - it's simply not a concern for them.
- Detailed service agreements and tools such as a responsibility matrix to ensure a mutual and thorough understanding of assigned responsibilities. These tools map out elements from security maintenance to segmentation to PCI DSS compliance and more, so both clients and providers agree precisely on expectations and deliverables.
- Transparency platforms including portals that provide clear oversight into security requirements and performance, validation and testing activities, and the involvement of third-party service and support.
A way to build on existing strengths
The PCI SSC is understandably cautious when it comes to payment card security standards - and that's a good thing. Meeting compliance goals is always a smart move when it comes to protecting customer data. Yet by partnering the convenience of cloud commerce with the security of smart technologies and responsible services, some providers have already addressed some of these challenges.
The cloud computing guidelines represent a road map toward a future of improved security. But to capitalize on the full power of the cloud, it's essential to acknowledge the existing solutions that offer merchants both protection and profit in one package.
As Director of Information Security at FireHost Inc., Kurt Hagerman oversees all compliance-related and security initiatives. He is responsible for helping FireHost attain ISO, PCI, HIPAA and other certifications, which allows FireHost customers to more easily achieve the necessary compliances for their own businesses. His position further includes merging information security and compliance into one organization, and enacting a strong security program in which levels of compliance are by-products. Hagerman, who has extensive engineering and systems management experience, can be reached at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.