Some vendors and service providers claim they offer cloud-based services that are compliant with PCI DSS. Vendor spin aside, is this possible?
It is possible, but keep in mind that all areas of PCI compliance must thoroughly be examined before making such a bold, absolute and definitive statement.
First and foremost, the term “cloud computing” can carry any number of different meanings, each being significant in their own manner. Be sure you understand the exact nature of the cloud service offered.
With that said, if the typical cloud computing service can be defined as “computing resources are shared in a virtual environment by a pool of intended users”, then there’s much work to be done by these vendors and service providers if they plan on achieving PCI compliance. Specifically, these entities must provide real and credible evidence of compliance with all 12 of the PCI DSS requirements, with added emphasis on ensuring the logical separation and protection of client A data from client B data. Additionally, these entities will also have to provide evidence of the often-overlooked Appendix A section of the PCI DSS, which has explicit requirements for ensuring the separation of data in shared/hosted environments, such as cloud computing.
One of the most difficult aspects of cloud computing PCI compliance is the ability to obtain verifiable and credible audit evidence for what a Qualified Security Assessor (QSA) would be signing off on. Many traditional vendors and service providers do in fact offer cloud-based services, but many times through Amazon's or Microsoft's cloud infrastructure, which, at this point, is difficult to obtain audit evidence for. However, if the actual vendor or service provider is providing these services through their own proprietary built cloud platform, validation becomes less of a challenge.
Even with all that in mind, for every PCI DSS requirement that must be validated, a QSA or other highly competent IT auditor must validate that, (1) the 12 PCI DSS requirements are in place and (2) within the 12 PCI DSS requirements, and where applicable, true logical separation of data from client A to client B exists. This validations must happen regardless of whether an organization utilizes a cloud computing service within the scope of its cardholder data environment. It's not an easy task, but it can be done if the cloud provider and the QSA are willing to work together in an efficient manner. Thus, many of the areas that will need to be examined actually fall under the scope of Appendix A, where the requirements for logical separation and isolation are illustrated.
This was first published in September 2011