Tip

Is PCI compliance attainable in a public cloud?

In this tip, the ninth in our series of technical tips on cloud security, we will focus specifically on the question of achieving Payment Card Industry Data Security Standard v1.2 (PCI-DSS)

Requires Free Membership to View

compliance using the public cloud. As a disclaimer, I should note that while I am a PCI QSA, this is my interpretation of the PCI-DSS requirements. I do not speak on behalf of the PCI Security Standards Council (PCI SSC), nor do I speak for any other assessor.

Can I be PCI compliant in a public cloud?
If you do not store or process cardholder data in a public cloud, then it is possible to reach compliance with PCI-DSS. If you do store or process cardholder data in a public cloud, however, then it is my opinion that it would not be possible to currently achieve PCI-DSS compliance.

You can achieve compliance if all you are doing is securely transmitting cardholder data over a public cloud (similar to the Internet today).

A note on PCI-DSS compliance rules:
If you have a contractual obligation to comply with PCI-DSS, then you have to comply with 100% of it. PCI-DSS requires ongoing compliance, but only requires you "prove" it annually (a.k.a. validation).

The specifics of what you have to do to validate your compliance will vary based on the volume of transactions you process and what type of entity you are (i.e., merchant versus service provider).

An important point to consider is that even though a smaller merchant has much less stringent validation requirements than a large merchant (i.e., a self-assessment versus a third party on-site assessment), you will be viewed with the same compliance microscope in the event of a breach.

PCI-DSS compliance issues with public clouds
PCI-DSS does not address the nuances involved with cloud providers. PCI-DSS does, however, directly address shared hosting providers, and there has been guidance on Internet Service Providers (ISPs). While it is reasonable for companies to view public cloud providers in the same light as shared hosting providers, the problem is with the requirements on those providers and how current cloud providers fall short. PCI-DSS Appendix A requires that providers implement as well as prove to an assessor that:

  • Each entity only runs processes that have access to that entity's cardholder data environment (A.1.1). This entails providing access to systems and proving that this isolation is indeed happening.
  • Each entity's access and privileges are restricted to its own systems and data (A.1.2). Again the problem is in proving that this is happening.
  • Log and audit trails exist to show access to any cardholder data (A.1.3). Access and proof are issues again, as well as problems surrounding Virtual Machine Guest images and any potential cardholder data stored in the image or memory of a suspended image.
  • A process and a mechanism are provided to allow for timely forensic investigation in the event of a compromise to any other client or the provider itself (A.1.4). I do not know of any cloud provider in a position to meet this requirement.

Since there is no option in PCI-DSS for risk acceptance and 100% compliance is required, I have to conclude that you cannot be compliant in those deployments. I do think, however, that cloud providers will be making modifications to service-level agreements (SLAs) and contracts that will enable organisations to be compliant in the future; it is just not possible today.

Conclusion
Some may argue that compensating controls can be used to achieve compliance, but I do not believe that to be the case. Until cloud providers are willing to open up and show us (i.e., customers and auditors) what the insides look like, PCI-DSS compliance for storing and processing of cardholder data remains a pipe dream.

So what can you do? I recommend one of two things:

  • Offload all payment card operations to a third party (i.e., PayPal).
  • Bring the storage and processing of cardholder data onto internally controlled systems. This is basically creating a hybrid cloud.

Furthermore, you should put pressure on your cloud provider to bring about a PCI-compliant portion of their cloud. That way you can use their compliance to augment yours.


This was first published in February 2010

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

PHIL COX'S BIO:   
Phil Cox is a principal consultant of SystemExperts Corporation, a consulting firm that specialises in system security and management. He is a well-known authority in the areas of system integration and security.

His experience includes Windows, UNIX, and IP-based networks integration, firewall design and implementation and ISO 17799 and PCI compliance. Phil frequently writes and lectures on issues dealing with heterogeneous system integration and compliance with PCI-DSS. He is the lead author of Windows 2000 Security Handbook Second Edition (Osborne McGraw-Hill) and contributing author for Windows NT/2000 Network Security (Macmillan Technical Publishing).

Phil holds a BS in Computer Science from the College of Charleston.