PCI Council Issues Cloud Guidance

How to Minimize Risks to Card Data

Organizations outsourcing card data to the cloud face significant security risks, says Bob Russo, general manager of the Payment Card Industry Security Standards Council.

See Also: Actionable Threat Intelligence: From Theory to Practice

"You really need to know where your data is at all times," Russo says. And as soon as an organization adds other players to the offsite card-management mix, ensuring compliance with the PCI Data Security Standard becomes increasingly challenging, he says.

"Cloud users and cloud service providers need to understand what their roles and responsibilities are when it comes to protecting this data," Russo says in an interview with Information Security Media Group [transcript below].

Questions to ask, he says, include: Where's the data being stored? Is it stored in multiple locations?

"Storing, processing and transmitting cardholder data in the cloud brings the cloud environment into scope for PCI-DSS," he explains.

Emerging cloud risks and compliance challenges surrounding the cloud are addressed in the PCI Council's new PCI DSS Cloud Computing Guidelines Information Supplement - a set of best practices and guidelines developed by the PCI's Council's Cloud Special Interest Group.

"A lot of these [cloud] clients have limited or no control over cardholder data storage," Russo says. Organizations need to be concerned about collecting and correlating access logs and other information from cloud vendors to ensure they are maintaining security compliance, he adds.

"These are all things that you have to take into consideration when you're thinking about outsourcing to a cloud provider," Russo says.

During this interview, Russo discusses why organizations must:

  • Review contracts carefully before signing with cloud services providers;
  • Ensure security across the payments chain and understand the role each entity plays;
  • Assess risk when card data could potentially be stored in multiple locations.

Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. He guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process. Russo works with representatives of American Express, Discover Financial, JCB, MasterCard Worldwide and Visa International to drive awareness and adoption of the PCI Data Security Standard.

Cloud's Impact on Payments

TRACY KITTEN: How is cloud computing impacting payments?

BOB RUSSO: Cloud services certainly provide an attractive opportunity for all kinds of organizations to outsource and utilize centrally-managed security resources. When we're looking at the benefits that the cloud can bring to these people, from our perspective, we want to make sure that organizations are aware of all of the risks and the challenges that are associated with a particular cloud choice, because they're not all the same. Before moving all of their payment data and everything that they're processing into one of these cloud service providers, we want to make sure that they're looking at some of this guidance.

Cloud Guidance

KITTEN: What would you say are some of the key points from the guidance?

RUSSO: At a very, very high level, there are some pretty key takeaways in this particular guidance. Outsourcing management of these security controls - and this is something that everybody has to keep in mind - doesn't equate to outsourcing your responsibility to be PCI-DSS compliant. It's critical to understand that there's scope involved for both parties - the cloud service provider, as well as the client - or whoever's going to be using it. And something to bear in mind is that, as I said before, cloud services are not all created equal. You need to understand what PCI-compliant cloud service really means and who's responsible for being compliant when somebody advertises that they're a PCI-compliant cloud service provider. Does this result in them being PCI compliant or the client being PCI compliant as well? It really requires some due diligence when it comes to contracts and the SLAs [service level agreements] that you've got in your contracts and ongoing monitoring, to make sure that you're staying PCI compliant.

PCI Challenges

Around the Network