PCI Cloud Guidance: Private Cloud Is The Preferred Way To GoWritten by Walter Conway
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Cloud computing is here. For merchants and service providers, the question is how best to implement the technology. The PCI Security Standards Council (PCI SSC) recently released PCI DSS Cloud Computing Guidelines, a document that has important information for any retailer or merchant looking to take advantage of the benefits from cloud computing. This document is well written, and it has a lot of details both on how cloud computing works and on how merchants can be compliant in a cloud environment.
The guidance document begins with a simple statement: “It may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or other shared cloud.” Using the phrase “particularly challenging” communicates that a merchant’s PCI compliance will be easier or harder depending on the chosen cloud deployment model.
One gem tells clients (a.k.a., merchants) they need to “obtain the details of the CSP’s [cloud service provider's] compliance validation.” The guidance goes on to suggest merchants review “The Executive Summary and Scope of Work sections” of the CSP’s report on compliance (ROC) and the “specific components, facilities, and services that were assessed.”
Securing a copy of the current attestation of compliance (AOC) for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP’s assessment, which is not sufficiently detailed in the AOC. The special interest group (SIG) recognized this situation explicitly with its recommendation. The body of a CSP’s ROC is proprietary, and it may contain information that would not necessarily be useful or appropriate to share. But that does not have to be the case for parts of the Executive Summary and Scope of Work sections.
The Executive Summary of a ROC certainly contains proprietary information. However, the guidance advises the client and the CSP work together to provide the client with the information the client needs to be PCI compliant. Ideally, this information can be transmitted in a redacted Executive Summary (or part of it) that still defines the scope and lists the specific PCI DSS requirements assessed.
To the best of my knowledge, this is the first official guidance that tells merchants to go beyond asking for the AOC.
My experience with clients is that CSPs will share this documentation once they understand the reason, but it can sometimes take several calls and E-mails to get it. Hopefully, with the SIG’s—and maybe the PCI SSC’s—encouragement, every merchant can understand more easily what is the scope of its CSP’s PCI assessment. (Note to all merchants, whether or not you are considering cloud computing: Shouldn’t you get this same scoping detail for all your service providers?) Securing this documentation, coupled with a strong service-level agreement (SLA) as described in section 6.3.1, should give merchants increased confidence in their CSP and their own PCI DSS compliance.
This clear preference for a private cloud implementation may surprise some merchants, cloud providers and security experts. Speaking only for myself, though, I wasn’t surprised by the recommendations. This is because, like most QSAs, I have accepted that the preferred way to achieve PCI compliance in the cloud is with a private cloud. I was a little surprised, albeit pleasantly, by a number of gems tucked away inside the recommendations. Any merchant moving or planning to move its card processing to the cloud needs to digest the recommendations and some of the more subtle signals in this report.
Some cloud proponents will be disappointed in the document, but I think that is because they don’t understand the focus of the report. The guidelines are really not a generic overview of how to conduct business in the cloud. Rather, the Cloud SIG focused on how to process payment-card data in the cloud. And its conclusion is that the most practical way to be PCI compliant in the cloud is with a private cloud.
The SIG did not look at cloud computing for application development or E-mail; it looked at using the cloud to process payment-card data. Merchants can start by accepting a couple of basics about cloud computing, which, according to the guidance document, is a technology that is “yet to be standardized” and still an “evolving technology.” Some CSPs might take issue with this characterization. But from the point of view of the Cloud Computing Special Interest Group (SIG), which authored the report, it is a fair description.
The guidance makes an important distinction between cloud deployment models (private, public, community and hybrid clouds) and cloud service models (software as a service [SaaS], platform as a service [PaaS] and infrastructure as a service [IaaS]). The differences between service models are very important, because the difference in service models in particular is control (i.e., responsibility) for PCI DSS compliance between the CSP and the merchant. The differences, however, are between cloud deployment models, which are the most critical.