Cloud computing is an important resource for organizations of any size and has seen increasing use in recent years for payment processing. Despite the prevalence of moving cyberinfrastructure to a cloud environment, many organizations fail to properly assess how if and how they will be able to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) when their cardholder data environment (CDE) exists entirely in the cloud. Understanding how to maintain PCI DSS compliance when utilizing cloud services is essential for the numerous modern organizations that rely on the scale and convenience that cloud services provide.
In this article, we’ll break down some important considerations for organizations that are looking to maintain pci compliance storing credit card data in the cloud. In order to provide some context, we’ll outline what is cloud computing, what some of the advantages of cloud computing are, and explore some of the challenges of meeting the requirements of pci dss regulations when your CDE has either partially or fully cloud-based services.
What is Cloud Computing?
When discussing pci dss and the cloud, it is important to have a basic understanding of what cloud computing is and what the advantages of utilizing cloud-based services are for organizations. One of the challenges in understanding cloud computing is that there are a variety of different definitions for this emergent technology. Because of this, it can sometimes be unclear whether the service you are using can reasonably be considered to be in the cloud. This is further compounded by the fact that cloud computing is changing and evolving at a rapid rate.
In order to get a better sense of what cloud computing is, let’s turn to the National Institute of Standards and Technology (NIST) for their cloud definition. In a nutshell, cloud computing utilizes network access to shared computing resources that are on-demand and can be rapidly provisioned. NIST outlines five essential characteristics of cloud computing. In order to meet the definition of cloud computing according to NIST, it must be an on-demand self-service with broad network access, resource pooling, have rapid elasticity, and be a measured service.
There are three broad service models associated with cloud computing including; Software as a Service (Saas), Platform as a Service (Paas), and Infrastructure as a Service (Iaas). While there are important differences between each of these cloud service models, they each share the fact that the customer will have varying, but limited, degrees of control over the actual cloud infrastructure. In SaaS and PaaS implementations, customers have very little control over the infrastructure supporting their sensitive data. In IaaS implementations, the customer may have control over certain things like the operating system or network components, but won’t have control over the underlying cloud infrastructure.
Cloud Services and Responsibility
Going back to the definition of cloud computing, we understand that cloud computing is ready access to a shared pool of computing infrastructure that can scale to meet demand. Utilizing cloud computing gives organizations access to computing power or storage without having to invest in the underlying technology to support their demand. Rather, organizations can outsource this service with the added advantage of scale and elasticity. While not having physical control over the systems and hardware that support the cloud is an advantage, it also presents challenges when it comes to security. Organizations that utilize cloud services will have varying degrees of control over certain things, but unless the cloud is entirely internally operated and managed they will have very little if any control over the security of the hardware itself.
So, if organizations have their data in the cloud but don’t have physical control over the security of that data, whose responsibility is it to ensure that data is secured? This question strikes at the heart of the challenge for securing your CDE when it exists entirely in the cloud. Many organizations have the mistaken belief that security for their data, systems, platform, or infrastructure rests entirely with the cloud service provider. This is, unfortunately, not the case. The reality is that responsibility for security must be allocated between the customer and the provider. Some responsibility for security may be shared, and some may rest solely on either the provider or customer. Because of this, it is essential that all security responsibilities are clearly understood by both the provider and the customer.
You might be wondering how responsibility may be divided between the customer and cloud service provider. The level of responsibility each party has is tied to the type of cloud service model being utilized, as well as the specific capabilities of the provider. In each of the three cloud service models, the customer will have varying degrees of control over certain aspects of the cloud infrastructure. The SaaS service model will give customers the least amount of control, while the IaaS service model will give customers the most amount of control. A greater degree of control over aspects of the cloud infrastructure will necessarily change how responsibility is allocated to the customer.
The PCI SSC has provided an example of the allocation of responsibility between customer and provider in their information supplement publication, PCI SSC Cloud Computing Guidelines. In the example, a customer utilizing a SaaS service model may have responsibility for Security Governance, Risk and Compliance (GRC), as well as data security. The customer and provider would share responsibility for application security. The provider would be responsible for physical, infrastructure, and platform security. Read more in our related blog article, Performing Regular Testing, Risk Analysis, and Assessing Risks.
On the other end of the spectrum, a customer utilizing an IaaS service model would be responsible for GRC, data security, application security, and platform security. The provider and customer would share responsibility for infrastructure security, and the provider would be responsible for physical security. Customers using a PaaS service model for their cloud services would have an allocation of responsibility and control that falls somewhere between a SaaS and IaaS service model.
Due to the fact that utilizing cloud services requires allocating and sharing responsibility, it is especially important to understand where the boundary lines are between a customer’s responsibility and a provider’s responsibilities. The examples of how responsibility may be allocated between the provider and customer for different service models offer a high-level overview. But remember that this is simply an example. Each provider will have different capabilities, and the level and allocation of responsibility will vary depending on the specific provider and service model.
Responsibility and PCI DSS
Although you may have a firm understanding of how responsibility is broadly allocated between the customer and provider for different cloud service models, you may be wondering how this translates to maintaining PCI-DSS compliance. In their guidance document, the PCI SSC recognizes that as the customer releases control over certain systems to the provider, the provider assumes the responsibility for implementing security controls that meet PCI DSS requirements. However, this responsibility must be clearly outlined and understood by both parties.
Ultimately, the customer is still responsible for protecting cardholder data. However, through careful allocation of responsibilities, the provider may be required to maintain and verify PCI DSS requirements to protect the data on their systems. According to the PCI SSC, for areas that the customer is responsible for, they will be required to meet and validate their security implementation according to PCI DSS requirements. For areas that are the responsibility of the provider, the provider would be responsible for maintaining PCI DSS compliance and validating that compliance for the customer. In areas where responsibility is shared, both the customer and provider will need to meet PCI DSS requirements for those systems or assets. At all times the customer is responsible for ensuring that the provider implements security controls that meet PCI DSS requirements.
PCI DSS Compliant Providers
While there are many cloud service providers that state that they are PCI DSS compliant, it is not enough for a customer to take them at their word. The customer is responsible for protecting their cardholder data. As such, they are also responsible for ensuring that their cloud service provider is capable of providing security adequate to meet PCI DSS requirements. Customers must exercise a level of due diligence before migrating all or part of their CDE to a cloud environment. At a minimum, the customer must ensure that the provider’s PCI DSS compliance is validated and up-to-date. Additionally, the customer must determine which specific PCI DSS compliance requirements the provider has been validated for.
There are challenging complexities that arise when moving cardholder data into a cloud environment. This is true even when a provider is PCI DSS compliant, and that compliance has been validated for the specific services you are utilizing. While a provider may have validated PCI DSS compliance for that service, it may not directly confer PCI DSS compliance to your systems and data using that same service. There are a variety of different reasons this may occur, but it highlights the importance of due diligence security efforts when it comes to selecting a provider. The customer and provider must work closely to ensure that each PCI DSS requirement is met for the customer’s systems and data in the cloud.
Verifying PCI DSS Provider Compliance
Just as protecting cardholder data is ultimately the responsibility of the customer, so too is verifying that a provider is meeting PCI DSS requirements. Verification is an important facet of PCI DSS requirements, as it ensures that organizations are protecting cardholder data over time. The verification process can yield insights into vulnerabilities that can lead to a breach, such as unpatched programs or software.
As with other aspects of the customer and provider relationship, customers must be proactive with ensuring that PCI DSS requirements are met. Providers should be able to provide the customer with any information or documentation necessary to ensure that anything in-scope for PCI DSS and under the provider’s control is compliant. Assessors play an important role in the verification process between customers and providers. An organization’s assessor may be used to verify that the cloud service provider’s security implementation is PCI DSS compliant. Alternatively, if a cloud service provider has already been validated by another assessor, that validation should be reviewed by the customer’s own assessor.
Meeting PCI DSS compliance requirements while utilizing cloud-service providers for part or all of an organization’s CDE introduces a number of complexities. Many of these revolve around the allocation of responsibilities between the service provider and the customer. Both the customer and the cloud service provider must have a completely clear picture of what their areas of responsibility are, and exactly how these areas of responsibility correspond to specific PCI DSS requirements.
Organizations should remember that in the end, protecting cardholder data is their responsibility whether they move their CDE into the cloud or not. By moving their CDE into a cloud environment, organizations are responsible for verifying that their provider can meet PCI DSS compliance requirements for protecting their cardholder data. Because of this, choosing the right service provider is incredibly important. Organizations exploring whether to utilize a cloud service for all or part of their CDE are expected to exercise an adequate level of due diligence to ensure that the provider’s PCI security standards implementation is sufficient. Part of this vetting process is utilizing a security assessor to validate that PCI DSS requirements are met by a provider for their specific customer.
Finding the right provider for your CDE can be a challenging process. This is made easier by working with an assessor that has experience with PCI DSS compliance in cloud environments. Due to the complexities involved with securing cardholder data in the cloud, this experience can streamline the process of finding a provider that provides PCI DSS compliant services. For more information about the process of migrating your CDE to the cloud for your cybersecurity solutions and cloud security, contact RSI security.