PCI SSC releases cloud guidelines

PCI Security Standards Council (PCI SSC) issued cloud computing data security guidelines on Feb. 7, 2013. The 52-page Cloud Computing Guidelines Information Supplement is a resource published to help businesses choose solutions and cloud providers that will secure customer payment data in the cloud in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).

The guidelines were developed by the PCI SSC's Cloud Special Interest Group (SIG). More than 100 organizations worldwide, including banks, merchants, security assessors and technology vendors, participated in the effort to identify and address the security challenges for different cloud models and explain the PCI DSS responsibilities of businesses conducting payment transactions in the cloud.

Chris Brenton, Director of Security for CloudPassage Inc., a security products provider for data centers hosting cloud servers, said, "One of cloud computing's biggest strengths is its shared-responsibility model. However this shared model can magnify the difficulties of architecting a secure computing environment." Brenton, a PCI Cloud SIG contributor, said the guidelines define the security responsibilities of the cloud provider and the cloud customer and provide a road map for creating a secure payment environment in the cloud.

Cloud guidance comprehensive

The guidelines explain the typical ways cloud services are used, outline the different roles of cloud providers and customers, and explain how security responsibilities in the cloud payment environment are determined and documented. The document also includes guidance for meeting PCI DSS requirements, advice on segmentation and scoping, and information on additional compliance and security challenges encountered when conducting payment transactions in the cloud. Appendices address specific PCI DSS requirements and their implementation.

The supplement can be downloaded from the PCI Standards & Documents section of the PCI SSC's website, www.pcisecuritystandards.org . The council is also hosting a webinar Feb. 14, 2013, for people interested in learning more about the supplement.

"At the council, we always talk about payment security as a shared responsibility," Bob Russo, PCI SSC General Manager, said. "And cloud is by nature shared, which means that it's increasingly important for all parties involved to understand their responsibility when it comes to protecting this data."

New guidelines eye opening

CipherCloud, a cloud security company offering a cloud encryption gateway, applauded the new cloud payment security guidelines, noting that the supplement sets forth new security responsibilities for cloud customers to protect cardholder data and specifies the responsibility customers have to ensure their cloud provider properly secures payment data.

"This new guidance is an eye-opener, as it clarifies that cloud customers cannot shift responsibility to their cloud providers," CipherCloud stated in a release issued to report it has a PCI DSS compliant cloud security strategy. "Cloud customers are still responsible for ensuring their cardholder data is secure."

The company said cloud customers have three choices if they wish to remain PCI DSS compliant: encrypt the card data before sending it to the cloud; encrypt the cardholder data in the cloud (and extend the PCI DSS scope to the cloud service); or don't use the cloud for payment transactions.

Pravin Kothari, Founder and Chief Executive Officer of CipherCloud, stated, "These new PCI Cloud guidelines are very helpful. They provide very important clarifications to cloud customers as to their responsibility for protecting their cardholder data in the cloud, as well as defining clear steps for customers that have been hesitant to adopt the cloud on how to do so."

Editorial Note:

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.