What are the core security challenges relating to PCI DSS compliance that we should be aware of when migrating our Web-facing application infrastructure to a public cloud? How can we address
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The first thing you should do is carefully review the recently released Payment Card Industry Data Security Standard (PCI DSS) 2.0 Cloud Computing Guidelines, available on the PCI Security Standards Council website. This document contains a wealth of information regarding the responsibilities of both merchants and service providers in a cloud environment, and does an excellent job helping you understand the types of controls that must be put in place.
Cloud computing solutions must comply with exactly the same standards as any other type of PCI DSS environment. In fact, most merchants already rely on some form of cloud service to assist them with the processing of credit card transactions. The difference when considering moving Web applications to the cloud is that you are often considering vendors that might not have deep PCI DSS experience.
If your cloud vendor will be directly storing, processing or transmitting credit card information (as opposed to merely handing customers off to a third-party payment gateway), you should verify that they appear on the Visa Global Registry of Service Providers and that their registry entry includes the service you are selecting. This assures you they have filed a Report on Compliance and are PCI-compliant. If you choose to use a cloud service that is not on the registry, understand that you will have to include that provider's infrastructure within the scope of your own PCI DSS assessment. I strongly suggest you don't put yourself in that situation.
You also must remember that simply choosing a compliant service provider does not make you PCI-compliant. Depending upon the type of service you purchase from that provider, you must take steps to ensure that the way you use those services is also compliant. For example, if you simply purchase Infrastructure as a Service computing cycles from a provider, you must still configure the Web server and develop Web applications in compliance with the PCI DSS and PA-DSS guidelines.
This was first published in May 2013