12-12-11 | Blog Post

Risk Assessments to Achieve PCI Compliance in the Cloud

Blog Posts

One of the main concerns with cloud computing is security – when it comes to national industry security compliance standards such as PCI DSS or HIPAA, additional precautions must be taken in order to protect confidential data during transmission. While PCI compliance calls for very specific requirements to protect customer cardholder data, it is possible to remain compliant while using the cloud.

The PCI Security Council (PCI SSC) recently released a set of guidelines and recommendations on configuring virtualized environments to meet PCI requirements in June. The council acknowledges there is no one-size-fits-all hosting solution that allows all businesses to meet the PCI requirements, but they do address potential new risks that may be associated with virtualization technology.

According to Onestopclick.com’s article on PCI Compliance and the Public Cloud, some experts suggest using a separate secure server for transactions while using a cloud platform for other business operations. However, the PCI SSC suggests some public clouds have certain characteristics that may introduce challenges in defining scope and responsibilities when it comes to meeting PCI compliance, including the fact that the hosted entity may have limited knowledge of other tenants in their hosted environment and limited control over CHD storage. In a private cloud, dedicated hardware provides more security and control by allowing the tenant to know where their data lives.

As a result, the PCI SSC states the burden of PCI compliance falls upon the cloud provider and their own controls and assessment of their own environment’s compliance. When searching for a PCI compliant hosting provider and solution, merchants should review which controls are in place to meet the requirements, what is included in the scope of their assessment and details of what is not covered, and what is ultimately the merchant’s own responsibility.

The PCI SSC also recommends conducting a risk assessment of their virtual environments to comply with PCI standards, including the following key elements:

  • Define the Environment
    Components, physical security/site details, traffic flow, component visibility, virtual and physical hardware components, etc.
  • Identify Threats
    One example is new types of malicious code or logical attacks targeting virtual components (hypervisor) or unsecured communication channels between shared hardware components.
  • Identify Vulnerabilities
    While the PCI SSC acknowledges vulnerabilities may result from the complexity of virtualization layers, shared environments and lack of visibility, they also point out that vulnerabilities are not limited to technical issues – mistrained staff, operational processes errors, lack of control monitoring and more can be responsible for a point of weakness.
  • Evaluate and Address Risk
    With all threats, vulnerabilities and environmental aspects considered, a risk assessment’s ultimate goal is to determine if any additional controls (on top of existing PCI compliance requirements) need to be implemented to protect CHD and avoid a PCI compliance breach.

For more on PCI compliance, see our prerecorded PCI compliance webinar series, including a PCI overview, detailed PCI requirements and PCI penetration testing and enhancing network and application security, led by a PCI compliance expert, Adam Goslin of High Bit Security.

Sources:
PCI Compliance and the Public Cloud
Information Supplement: PCI DSS Virtualization Guidelines

Overwhelmed by cloud chaos?
We’re cloud experts, so you don’t have to be.

© 2024 OTAVA® All Rights Reserved