Clearing Things up in the Cloud – a PCI Tale
April 5, 2013
CloudCow Contributed Article. Author: Tim Sedlack, Dell Software
Back in mid-February, the people who help control security of credit card data, the PCI Standards Console, did us all a favor. They clarified something that technically, should make handling credit cards in, around and through “the cloud” more secure. They released the document called, “PCI Cloud Computing Guidelines.” Certainly, clarification was required. Before this document, if you used a Cloud Service Provider (CSP), you couldn’t be sure whether you had to have a separate audit for them, or if your audits covered everything. It was nebulous, to say the least.
The Cloud Special Interest Group (SIG) and the PCI Standards Council got together and agreed that you own the security of the data you handle, regardless of where it’s stored, processed or otherwise transmitted. That’s right ─ it’s incumbent upon you, as a certified credit card processor (you do take credit cards, don’t you?), to ensure the safety and proper handling of customer credit cards in accordance with PCI-DSS standards. I know that’s not going to be a very popular stance for vendors – to tell them that they are the responsible party ─ but, honestly, not knowing would have had me walking on eggshells wondering whether we’d lose certification if our CSP failed an audit! Who wants to live like that?
They’ve clarified what “cloud” means for their purposes as well – that’s really refreshing and welcome! Private Cloud, Hybrid Cloud, Community Cloud ─ so many clouds ─ but, they make it clear that even if you don’t use the term cloud, but have engaged vendors that supply services such as SaaS, PaaS or IaaS (that’s Software, Platform or Infrastructure as a service, for the uninitiated), you are a cloud service provider. And, what about your provider using other people’s services? Well, that’s called “Nested Services,” and the document outlines that you’re not off the hook here either, so ask questions and demand answers from those who provide services like this to you! They also have created a handy chart (we all love charts, don’t we?) that breaks down responsibility between Client, Provider or BOTH – an area they recognize can be tough to navigate, but they do recommend getting clarification in writing to be safe. Finally, a few good sample scenarios and some FAQs help make it perfectly clear – nobody’s getting off scott free!
So what can you do if you process credit card data (or have customers who do)? Well, the first and most obvious thing is read the White Paper (here: https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf)! Next, recognize that there is shared responsibility here. The best thing you can do is document your agreement. That includes clear definitions of terms, review cycles, responsibilities, communication channels – just about everything related to data that has the potential to be stored or transferred. With that done, you probably want to have a “virtual audit” – ask yourself what controls are in place and how can you prove you’re compliant? Ask the same of your provider (or customer, if you’re the provider).
From an IT control perspective, you’ve probably got all your ducks in a row – using software to help with audits, change control, and risk assessment. Make that information available to your CSP or client. Prove to them that you’ve got it all under control. It’ll save you time and energy later – when a real audit does occur!
As a last check, ask if there are other relationships that need to be evaluated, and follow the same process with them.
It’s an iterative and likely time-consuming process, but, if you’re handling credit card data in the cloud, you can’t afford to be foggy!
###
About the Author
Tim Sedlack is a senior product manager for Dell Software, where he is responsible for guiding the direction of compliance solutions, and providing assistance to Dell customers and strategic partners around the world. Tim has more than 20 years of experience in IT, including time at Microsoft during early implementations of Active Directory and Exchange. He came to Dell through the acquisition of Quest Software in 2012, and prior to Quest, Tim worked with clients around the world on products that monitor the health and availability of enterprise IT environments.