To store or not to store?
To store or not to store?

The PCI Security Standards Council recently issued some cloud computing guidelines aimed at demystifying this oft-misunderstood area of IT and the kinds of processes and applications it should be used to support.

Certain portions of the guidance document, such as the ‘scoping considerations' section, seem to suggest that the cloud is unsuitable for operations involving PCI, and include advice along these lines in no uncertain terms: “don't store, process or transmit payment card data in the cloud”.

While such a claim is certainly a headline-grabber, it doesn't necessarily represent the range of recommendations made in the document, nor the valuable instruction it gives in relation to differentiating the kinds of cloud infrastructures that actually are suited to handling payment card data.

Practically speaking, it is possible to hold data securely in the cloud. As long as the merchant ensures they make the right choices when doing so, such as selecting a properly secure, compliant enterprise class cloud platform, security becomes no greater issue than it would be in any traditional dedicated or private cloud hosting infrastructure.

Indeed, with version 3.0 of the PCI DSS due for release in October, this could be a valuable opportunity for the industry to clearly define those infrastructures that are suitable for payment card operations (and those that are not), as well as address several of the main points raised in these new cloud guidelines and ultimately ensure valuable data is kept secure at all times.   

Certain sections of the council's cloud guidelines document could prove extremely useful to merchants, ranging from general recommendations regarding the cloud provider and cloud customer relationship, to specific PCI DSS control considerations.

On the provider/customer relationship, the guidelines make three significant suggestions worth noting, including:

  • Cloud services are not created equal. Clear policies and procedures should be agreed between client and cloud provider for all security requirements, and responsibilities for operation, management and reporting should be clearly defined and understood for each requirement.
  • Descriptions for deployment and service models, although widely accepted by the industry, may not be universally followed by cloud providers or reflect actual cloud environments.
  • Clear policies and procedures should be agreed upon between client and cloud provider for all security requirements, and clear responsibilities for operation, management and reporting need to be defined for each requirement.
  • Essentially, all of these individual nuggets of advice point to the fact that cloud customers must ensure that they have absolute clarity regarding the levels of cover their provider offers (including the terms they are using), and have this written into any kind of agreement. Only then can the cloud customer ensure that their payment card data is adequately secured.

    Full transparency is again fundamental when it comes to the PCI compliance control recommendations made in the document – namely:

  • The client needs to understand the level of oversight or visibility they will have into security functions that are outside of their control.
  • The CSP (Cloud Service Provider) should ensure that any service offered as being 'PCI compliant' is accompanied by a clear and unambiguous explanation.
  • The client needs to clearly understand the scope of responsibility that the CSP is accepting for each PCI DSS requirement, and which services and system components are validated for each requirement.
  • Splitting PCI compliance into different levels and having providers disclose where they are on this spectrum, as the guidance document suggests, could be a massive step towards full transparency. The council's recommendation that those offering a high level of PCI compliance should be independently validated in order to prove so, takes this idea even further, putting each provider's ranking beyond their own influence, for the benefit of the customer.

    The upcoming revision of the PCI DSS could be a chance to offer this kind of visibility to the merchant and ultimately give them the ability to recognise whether their data is at risk.

    Several sections in the guidelines document focus on other practical concerns with holding payment card data in the cloud. Again, these serve to further differentiate those infrastructures that are suited to storing this kind of data from those that are not suitable, and should not be interpreted as the council advising that no cloud service is compatible with PCI rules.

    For example, when it comes to issues of server isolation – which is a massive challenge for PCI compliance – very few providers offer such a solution, but it would be wrong to discount them all. Similarly the importance of the location of data is underlined throughout, as many cloud hosting providers out there are unable to provide guarantees about where data will be held.

    Far from dismissing the cloud entirely, the document is simply pointing cloud customers to those that can deliver data sovereignty guarantees.

    Guidelines are designed to provide useful recommendations on current practices, warn target audiences of any potential pitfalls and highlight any changes that could be made within the industry in general. This document does just this and offers valuable reference points when it comes to establishing the security of a cloud infrastructure.

    If cloud providers took these concerns seriously and merchants boycotted any that did not, we wouldn't be in a position where the IT industry still asked the question 'can the cloud be secured'?

    Kurt Hagerman is director of information security at FireHost