PCI Council Releases PCI-DSS Cloud Computing Guidelines Supplement | Practical Law

PCI Council Releases PCI-DSS Cloud Computing Guidelines Supplement | Practical Law

The Payment Card Industry (PCI) Security Standards Council (SSC) released a supplement to the payment card industry data security standards (PCI-DSS) addressing the use of cloud technologies and considerations for PCI-DSS controls in cloud computing environments.

PCI Council Releases PCI-DSS Cloud Computing Guidelines Supplement

Practical Law Legal Update 3-524-1559 (Approx. 4 pages)

PCI Council Releases PCI-DSS Cloud Computing Guidelines Supplement

by PLC Intellectual Property & Technology
Published on 15 Feb 2013USA (National/Federal)
The Payment Card Industry (PCI) Security Standards Council (SSC) released a supplement to the payment card industry data security standards (PCI-DSS) addressing the use of cloud technologies and considerations for PCI-DSS controls in cloud computing environments.
On February 7, 2013, the Payment Card Industry (PCI) Security Standards Council released a supplement that provides guidance on payment card industry data security standards (PCI DSS) controls in cloud computing environments. PCI DSS will apply when payment card data is stored, processed or transmitted in a cloud environment. Because of the shared responsibility between the cloud service provider (CSP) and its client over the payment card data, PCI DSS will typically involve validation of:
  • The CSP's infrastructure.
  • The client's usage of the cloud environment.
The supplement provides guidance on various topics including:
  • Common deployment and service models for cloud environments, including how implementations may vary within the different types.
  • The different roles and responsibilities among the different cloud provider/cloud customer relationships.
  • PCI DSS considerations for determining responsibilities for individual PCI DSS requirements, including segmentation and scoping considerations.
  • PCI DSS compliance challenges associated with validating PCI DSS compliance in a cloud environment, including for example:
    • Little or no client visibility into the CSP's infrastructure and security controls.
    • Public cloud environments that are designed in a way allowing access from anywhere on the internet.
    • The potential challenges of verifying who has access to cardholder data processed, transmitted or stored in the cloud environment.
    • The challenge of collecting, correlating and archiving all the necessary logs to meet applicable PCI DSS requirements.
  • Additional business and technical security considerations that organizations should consider before moving sensitive data or services into a cloud environment, including that:
    • With the shared governance, compliance and risk management between the client and CSP, establishing a clear strategy of the relationship may better ensure clear communication.
    • A CSP facility may have poor physical security controls, potentially exposing clients' data to unnecessary risk.
    • If a client does not know the exact location of their data or there is little visibility into the controls, validation of data security and access controls may be challenging.
  • Recommendations for initial discussions between organizations and their prospective CSPs about cloud services.
The guidance also includes four appendices that include:
  • Additional considerations to help determine PCI DSS responsibilities across different cloud service models.
  • A sample system inventory for cloud computing environments.
  • A sample matrix for documenting how PCI DSS responsibilities are assigned between a cloud provide and client.
  • A starting set of questions that may help in determining how PCI DSS requirements can be met in a particular cloud environment.