Payment Card Industry clears up confusion over cloud use

The Payment Card Industry Security Standards Council (PCI SSC) has published guidelines for using the cloud for credit card processing, ending the guesswork that has plagued merchants and cloud providers.

The PCI SSC introduced its Data Security Standards (DSS) for the cloud Thursday. The guidelines are expected to clear up the confusion that resulted from auditors giving different interpretations in applying pre-cloud standards to the modern computing platform.

The original PCI DSS guidelines and standards covered physical servers that a merchant, such as Home Depot, would have in its data center. Those guidelines became only marginally effective once merchants started moving their servers to infrastructure-as-a-service (IaaS) providers, such as Amazon and Rackspace, where multiple servers, each belonging to a different company, runs on a single computer.

The new guidelines make clear the responsibilities of merchants and cloud service providers. For example, the latter must show that it keeps clients’ data in its own silo, but merchants are responsible for encryption and having proper login credentials for accessing the data. Other merchant responsibilities include server configurations and software patching.

In the absence of guidelines, merchants assumed that the cloud service provider satisfied many of the PCI requirements.

“As folks move into the cloud, they think they are getting a little bit of a get out of jail card and they can just say, ‘the cloud provider will take care of all that,'” said Chris Brenton, director of security at CloudPassage and a member of the PCI group that drew up the guidelines. “One of the things this guidance is very clear on is no, you will always have some level for making sure that credit-card information stays secure.”

[Also see: A tale of two PCI security audits]

The guidelines establish PCI-defined best practices for using the cloud for credit card processing. Depending on the circumstances, companies will decide to go beyond the requirements. For example, a large company more susceptible to sophisticated cyberattacks may add layers of security beyond what’s required.

“One of the problems with the PCI DSS is that it’s trying to be kind of a one size fits all and every environment is a little different,” Brenton said.

For large corporations and financial institutions, the next step will be having the guidelines for cloud environments incorporated in the software they use to set policies for maintaining compliance, said Michael Versace, an analyst for IDC.

Connecting so-called governance, risk management and compliance (GRC) systems to the cloud would provide a “clearer, maybe more current, picture of how well a cloud service provider might be complying with a set of standards, like the PCI security standards.”

Overall, PCI compliance has reduced risk. A 2011 study by The Ponemon Institute found 64% of compliant organizations reported no breaches involving credit card data over two years versus only 38% of non-compliant organizations.