Answer

Cloud computing PCI compliance: Is it possible?

Some vendors and service providers claim they offer cloud-based services that are compliant with PCI DSS. Vendor spin aside, is this possible? 

    Requires Free Membership to View

It is possible, but keep in mind that all areas of PCI compliance must thoroughly be examined before making such a bold, absolute and definitive statement.

First and foremost, the term “cloud computing” can carry any number of different meanings, each being significant in their own manner. Be sure you understand the exact nature of the cloud service offered.

With that said, if the typical cloud computing service can be defined as “computing resources are shared in a virtual environment by a pool of intended users”, then there’s much work to be done by these vendors and service providers if they plan on achieving PCI compliance.  Specifically, these entities must provide real and credible evidence of compliance with all 12 of the PCI DSS requirements, with added emphasis on ensuring the logical separation and protection of client A data from client B data.  Additionally, these entities will also have to provide evidence of  the often-overlooked Appendix A section of the PCI DSS, which has explicit requirements for ensuring the separation of data in shared/hosted environments, such as cloud computing.

One of the most difficult aspects of cloud computing PCI compliance is the ability to obtain verifiable and credible audit evidence for what a Qualified Security Assessor (QSA) would be signing off on.  Many traditional vendors and service providers do in fact offer cloud-based services, but many times through Amazon's or Microsoft's cloud infrastructure, which, at this point, is difficult to obtain audit evidence for. However, if the actual vendor or service provider is providing these services through their own proprietary built cloud platform, validation becomes less of a challenge.

Even with all that in mind, for every PCI DSS requirement that must be validated, a QSA or other highly competent IT auditor must validate that, (1) the 12 PCI DSS requirements are in place and (2) within the 12 PCI DSS requirements, and where applicable, true logical separation of data from client A to client B exists. This validations must happen regardless of whether an organization utilizes a cloud computing service within the scope of its cardholder data environment. It's not an easy task, but it can be done if the cloud provider and the QSA are willing to work together in an efficient manner. Thus, many of the areas that will need to be examined actually fall under the scope of Appendix A, where the requirements for logical separation and isolation are illustrated.

This was first published in September 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: