Call Today 1-877-740-5028

Risk Assessments for the PCI Compliant Cloud

One of the main concerns with cloud computing is security – when it comes to national industry security compliance standards such as PCI DSS or HIPAA, additional precautions must be taken in order to protect confidential data during transmission. While PCI compliance calls for very specific requirements to protect customer cardholder data, it is possible to remain compliant while using the cloud.

The PCI Security Council (PCI SSC) recently released a set of guidelines and recommendations on configuring virtualized environments to meet PCI requirements in June. The council acknowledges there is no one-size-fits-all hosting solution that allows all businesses to meet the PCI requirements, but they do address potential new risks that may be associated with virtualization technology.

According to Onestopclick.com’s article on PCI Compliance and the Public Cloud, some experts suggest using a separate secure server for transactions while using a cloud platform for other business operations. However, the PCI SSC suggests some public clouds have certain characteristics that may introduce challenges in defining scope and responsibilities when it comes to meeting PCI compliance, including the fact that the hosted entity may have limited knowledge of other tenants in their hosted environment and limited control over CHD storage. In a private cloud, dedicated hardware provides more security and control by allowing the tenant to know where their data lives.

As a result, the PCI SSC states the burden of PCI compliance falls upon the PCI cloud hosting provider and their own controls and assessment of their own environment’s compliance. When searching for a PCI compliant hosting provider and solution, merchants should review which controls are in place to meet the requirements, what is included in the scope of their assessment and details of what is not covered, and what is ultimately the merchant’s own responsibility.

The PCI SSC also recommends conducting a risk assessment of their virtual environments to comply with PCI standards, including the following key elements:

  • Define the Environment - Components, physical security/site details, traffic flow, component visibility, virtual and physical hardware components, etc.
  • Identify Threats - One example is new types of malicious code or logical attacks targeting virtual components (hypervisor) or unsecured communication channels between shared hardware components.
  • Identify Vulnerabilities - While the PCI SSC acknowledges vulnerabilities may result from the complexity of virtualization layers, shared environments and lack of visibility, they also point out that vulnerabilities are not limited to technical issues – mistrained staff, operational processes errors, lack of control monitoring and more can be responsible for a point of weakness.
  • Evaluate and Address Risk - With all threats, vulnerabilities and environmental aspects considered, a risk assessment’s ultimate goal is to determine if any additional controls (on top of existing PCI compliance requirements) need to be implemented to protect CHD and avoid a PCI compliance breach.

For more on PCI compliance, see our prerecorded PCI compliance webinar series, including a PCI overviewdetailed PCI requirements and PCI penetration testing and enhancing network and application security, led by a PCI compliance expert, Adam Goslin of High Bit Security.

Sources:
PCI Compliance and the Public Cloud
Information Supplement: PCI DSS Virtualization Guidelines


PCI Compliant Data CentersLooking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?
 
Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.
 
Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.
 

The Whole Package

They have been there before. They know what was required and they had the team members to put the project together. It was the whole package that made this an easy decision.

- Dean Scaros, President, Pay-Ease

Have Questions?
Call Today 1-734-213-2020

live-chatemail-us

Live Chat
Events 0