Is PCI compliance attainable in a public cloud?

Can I be PCI compliant in a public cloud?
If you do not store or process cardholder data in a public cloud, then it is possible to reach compliance with PCI-DSS. If you do store or process cardholder data in a public cloud, however, then it is my opinion that it would not be possible to currently achieve PCI-DSS compliance.

You can achieve compliance if all you are doing is securely transmitting cardholder data over a public cloud (similar to the Internet today).

A note on PCI-DSS compliance rules: If you have a contractual obligation to comply with PCI-DSS, then you have to comply with 100% of it. PCI-DSS requires ongoing compliance, but only requires you "prove" it annually (a.k.a. validation). The specifics of what you have to do to validate your compliance will vary based on the volume of transactions you process and what type of entity you are (i.e., merchant versus service provider). An important point to consider is that even though a smaller merchant has much less stringent validation requirements than a large merchant (i.e., a self-assessment versus a third party on-site assessment), you will be viewed with the same compliance microscope in the event of a breach.

PCI-DSS compliance issues with public clouds
PCI-DSS does not address the nuances involved with cloud providers. PCI-DSS does, however, directly address shared hosting providers, and there has been guidance on Internet Service Providers (ISPs). While it is reasonable for companies to view public cloud providers in the same light as shared hosting providers, the problem is with the requirements on those providers and how current cloud providers fall short. PCI-DSS Appendix A requires that providers implement as well as prove to an assessor that:

• Each entity only runs processes that have access to that entity's cardholder data environment (A.1.1). This entails providing access to systems and proving that this isolation is indeed happening.
• Each entity's access and privileges are restricted to its own systems and data (A.1.2). Again the problem is in proving that this is happening.
• Log and audit trails exist to show access to any cardholder data (A.1.3). Access and proof are issues again, as well as problems surrounding Virtual Machine Guest images and any potential cardholder data stored in the image or memory of a suspended image.
• A process and a mechanism are provided to allow for timely forensic investigation in the event of a compromise to any other client or the provider itself (A.1.4). I do not know of any cloud provider in a position to meet this requirement.

The previous tips in our cloud security series: Understanding cloud compliance issues Securing data in the cloud Protecting IaaS from domain name system threats

Since there is no option in PCI-DSS for risk acceptance and 100% compliance is required, I have to conclude that you cannot be compliant in those deployments. I do think, however, that cloud providers will be making modifications to service-level agreements (SLAs) and contracts that will enable organisations to be compliant in the future; it is just not possible today.

Conclusion
Some may argue that compensating controls can be used to achieve compliance, but I do not believe that to be the case. Until cloud providers are willing to open up and show us (i.e., customers and auditors) what the insides look like, PCI-DSS compliance for storing and processing of cardholder data remains a pipe dream.

So what can you do? I recommend one of two things:

• Offload all payment card operations to a third party (i.e., PayPal).
• Bring the storage and processing of cardholder data onto internally controlled systems. This is basically creating a hybrid cloud.

Furthermore, you should put pressure on your cloud provider to bring about a PCI-compliant portion of their cloud. That way you can use their compliance to augment yours.

PHIL COX'S BIO:

Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specialises in system security and management. He is a well-known authority in the areas of system integration and security. His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing). Phil holds a BS in Computer Science from the College of Charleston.

Rate this Tip To rate tips, you must be a member of SearchVirtualDataCentre.co.UK. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Data centre design High-availability solutions in nonvirtualised environments Top 10 command-line commands for managing Windows 7 desktops Take control of the command line with 'A Practical Guide to Linux' What makes a migration from Unix to Linux attractive? How to install a clean version of Windows 7 The virtual data centre - it's a jungle out there Windows 7 Boot-from-VHD feature creates mobile Hyper-V labs Second look at HPC: Is retail ready for supercomputing? Linux networking: Using ip tool instead of ifconfig The benefits of cloud computing and the obstacles to know Cloud computing services HP unveils Cloud Design Service despite customer caution Clarifying cloud computing: Unravelling the definitions VMware earnings strong, but profit takes a hit: News Roundup Cloud computing's only for grown-ups, survey says Moving to the cloud: UK guide Defining the Infrastructure as a Service (IaaS) side of cloud Getting cloud to deliver benefits: It's not as hard as it looks Cloud computing: How to draw up your plan Private clouds, desktop virtualisation offer data security, flexibility and ROI The benefits of cloud computing and the obstacles to know Working with colocation or managed service providers Clarifying cloud computing: Unravelling the definitions The benefits of outsourcing server virtualisation Cloud computing's only for grown-ups, survey says Virtual disaster recovery: How to take advantage Crystal ball predictions for 2010 Moving to the cloud: UK guide Defining the Infrastructure as a Service (IaaS) side of cloud Getting cloud to deliver benefits: It's not as hard as it looks Cloud computing: How to draw up your plan The benefits of cloud computing and the obstacles to know RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.