The article also states that most cloud-based services also actually decline to be audited and often will only accept an audit when pressure is put on by larger businesses – which begs the question, what exactly are these cloud providers trying to hide? This is still a major issue no matter what compliance or security concerns many companies have – trusting and investing in a managed hosting provider requires an open-door kind of policy.
What are the top (and, in most cases, required) ways you can ensure you have complete visibility into your PCI cloud hosting provider’s environment and not only achieve PCI compliance demands but also a peace of mind?
- Check their PCI Report on Compliance (ROC), also known as their independent PCI audit report. A truly transparent cloud provider or data center operator will share the results of their independent PCI audit of their physical and network security environment, as well as their company’s security policies that can prove their actual compliance. This is a standard practice that helps you not only gain visibility, but also learn what PCI requirements a cloud provider can fulfill and which ones you still need to cover.
- Check their documented policies and procedures. This can give you insight into their protocols and how they handle any number of security issues, including data breach notification. Knowing the timeframe in which they have agreed to notify you of a breach is key to planning investigation and remediation. It’s also required by PCI 12.9: Implement an incident response plan. Be prepared to respond immediately to a system breach.
- Check what is included in their PCI cloud hosting package. Many cloud providers may say they are selling you the complete PCI package, but what does that mean to them? It may mean some services are included, and some are incomplete, especially when it comes to disaster recovery, backup and logging solutions. Do they offer daily log review, which includes an actual review and analysis of your daily system logs? Check that they can thoroughly fulfill the PCI requirements instead of just touching the surface.
- Check that their employees are trained on how to handle credit cardholder data (CHD), as well as how to comply with PCI standards. PCI requirement 12.6-.7 requires the implementation of a formal security awareness program; education of personnel upon hire and annually; and screening of potential personnel prior to hiring. Additionally, requirement 12.8.3-.4 mandates the establishment of a process for engaging service providers, including proper due diligence; and the maintenance of a program to monitor their PCI DSS compliance status at least annually.
So these are great recommendations, but what is the actual language when it comes to third party/managed service providers (cloud hosting companies)? See below:
For service providers required to undergo an annual onsite assessment, compliance validation must be performed on all system components in the cardholder data environment.
A service provider or merchant may use a third-party service provider to store, process, or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers. If so, there may be an impact on the security of the cardholder data environment.
For those entities that outsource storage, processing, or transmission of cardholder data to third-party service providers, the Report on Compliance (ROC) must document the role of each service provider, clearly identifying which requirements apply to the assessed entity and which apply to the service provider. There are two options for third-party service providers to validate compliance:
- They can undergo a PCI DSS assessment on their own and provide evidence to their customers to demonstrate their compliance; or
- If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed during the course of each of their customers’ PCI DSS assessments.
And when it comes to a merchant’s own PCI Report on Compliance (ROC) and environmental reviews of managed service providers:
For managed service provider (MSP) reviews, the assessor must clearly identify which requirements in this document apply to the MSP (and are included in the review), and which are not included in the review and are the responsibility of the MSP’s customers to include in their reviews.
Merchants, do your due diligence to gain visibility into a cloud provider’s environment and ability to secure your data and applications by PCI compliant standards – and know when to seek a different provider if they refuse to comply.