What are the core security challenges relating to PCI DSS compliance that we should be aware of when migrating...
our Web-facing application infrastructure to a public cloud? How can we address PCI compliance in the cloud?
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first thing you should do is carefully review the recently released Payment Card Industry Data Security Standard (PCI DSS) 2.0 Cloud Computing Guidelines, available on the PCI Security Standards Council website. This document contains a wealth of information regarding the responsibilities of both merchants and service providers in a cloud environment, and does an excellent job helping you understand the types of controls that must be put in place.
Cloud computing solutions must comply with exactly the same standards as any other type of PCI DSS environment. In fact, most merchants already rely on some form of cloud service to assist them with the processing of credit card transactions. The difference when considering moving Web applications to the cloud is that you are often considering vendors that might not have deep PCI DSS experience.
If your cloud vendor will be directly storing, processing or transmitting credit card information (as opposed to merely handing customers off to a third-party payment gateway), you should verify that they appear on the Visa Global Registry of Service Providers and that their registry entry includes the service you are selecting. This assures you they have filed a Report on Compliance and are PCI-compliant. If you choose to use a cloud service that is not on the registry, understand that you will have to include that provider's infrastructure within the scope of your own PCI DSS assessment. I strongly suggest you don't put yourself in that situation.
You also must remember that simply choosing a compliant service provider does not make you PCI-compliant. Depending upon the type of service you purchase from that provider, you must take steps to ensure that the way you use those services is also compliant. For example, if you simply purchase Infrastructure as a Service computing cycles from a provider, you must still configure the Web server and develop Web applications in compliance with the PCI DSS and PA-DSS guidelines.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Vulnerability scanning tools are necessary to be fully compliant with PCI DSS, but the tools need to come from a PCI DSS Approved Scanning Vendor. ...continue reading
Healthcare clearinghouses like Mass HIway are a new trend in health IT, but what are the security implications? Expert Mike Chapple explains what you...continue reading
The FFIEC Cybersecurity Assessment Tool has faced harsh criticism since its 2015 release. Expert Mike Chapple reviews the tool and how it can be ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.