In February the PCI Security Standards Council (the “Council”) released a new information supplement related to the application of the Payment Card Industry Data Security Standards (“PCI DSS”) requirements in the Cloud. The goal of the information supplement is to assist Merchants and Cloud Service Providers (“CSP”) maintain PCI DSS compliant environments and also to guide the Qualified Security Assessors (“QSA”) that are tasked with performing the validation assessments.
I found the information supplement to contain useful information and tools that could be used by the Merchant, CSP and QSA. Several charts and graphics were included that show the PCI DSS responsibilities for the CSP and Merchant depending upon the Cloud delivery model. As evidenced by the continual discussion of the PCI DSS scope for the CSP and Merchant, division of responsibility continues to be at the heart of all relationships between PCI DSS compliant companies and service providers.
The challenge that companies continue to face when migrating to the Cloud is “who is responsible for what” and unfortunately we are finding that question is not completely answered until the QSA shows up to perform the on-site assessment. As you read the information supplement I encourage you to also take into consideration the following points when migrating to the Cloud.
All CSPs are not created equal – This statement is true in many aspects of the services they provide and very true when addressing PCI DSS. When a CSP states they are PCI DSS compliant it is imperative that you understand what they mean and what level of evidence they are willing to provide before migrating to their Cloud.
The QSA won’t take the CSPs word for it – When it comes to PCI DSS compliance, it is the job of the QSA to validate compliance themselves, not simply read a marketing document or CSPs website that states they are compliant. The QSA will want to see a contract, Attestation of Compliance, scoping matrix from the Report on Compliance and probably talk with the CSP’s Security Officer. Don’t wait until the QSA is on-site to start asking for this information. PCI DSS compliance and the evidence of compliance should be discussed with the CSP during the initial contract negotiation.
You are still responsible – Whether you outsource the control or perform it in-house, you are responsible for the security of payment card data stored, processed or transmitted by you. Make sure your vendor due diligence and annual review procedures are sufficient to ensure the CSP is living up to their responsibilities.
The Cloud is here to stay, and with all immerging technologies it takes time to fully understand the risks and standardize information security measures. Make sure you have a clear understanding with your CSP regarding PCI DSS compliance.
The Cloud information supplement and other helpful information from the Council can be obtained from https://www.pcisecuritystandards.org/security_standards/documents.php.