The fact that regulations evolve at a much slower pace than cloud computing technologies can lead to confusion regarding how to meet regulatory requirements in the cloud. If a client moves a regulated function to the cloud and later falls out of compliance due to a shortcoming on the cloud vendor's part, the client remains accountable. So it's essential to have as much clarity on these issues as possible. Recognizing this challenge with regards to the handling of credit card data, the Payment Card Industry (PCI) Security Standards Council has recently issued guidance on how to apply PCI Data Security Standards (PCI DSS) in the cloud.
PCI DSS applies to all organizations that hold, process or exchange credit card information. It was created to help ensure that consumers are not exposed to potential financial or identity fraud and theft. To accomplish this, PCI DSS provides a payment card data security framework that organizations deploy to prevent, detect and respond to security incidents. PCI DSS is not a law, and the PCI Security Standards Council doesn't directly impose any consequences for non-compliance, but the negative repercussions of non-compliance can include lawsuits, insurance claims, canceled accounts, payment card issuer fines and government fines. To ensure none of this happens to you when processing credit cards in the cloud, it's important to understand this new PCI DSS guidance.
PCI DSS was initially released on Dec. 15, 2004. To put this in perspective, that was over a year before Amazon Web Services initially began offering IT infrastructure services to businesses. The current version of PCI DSS, 2.0, was released on Oct. 26, 2010, but it wasn't until Feb. 5 of this year that the Cloud Special Interest Group of the PCI Security Standards Council released the PCI DSS Cloud Computing Guidelines to provide specific guidance on the use of cloud computing and maintaining PCI controls in cloud environments.
The guidelines are intended for use by organizations investigating, adopting or using cloud computing services as part of a cardholder data environment. Many elements of the guidelines align with issues addressed in my past columns, but they are worth reinforcing here within the PCI context. Some key concepts contained in the guidelines include:
It is crucial that an organization clearly understands its own needs before transitioning payment card operations to the cloud. To achieve this, you should build a team of key stakeholders to define needs and determine the degree to which available cloud services meet those needs.
While responsibility for security of cardholder data in a cloud environment is shared between the customer and cloud vendor, the customer remains accountable for ensuring that its cardholder data is properly secured according to applicable PCI DSS requirements.