When a cloud service provider says it’s been validated as PCI DSS compliant, what does that mean for the enterprise customer?
First off, it doesn’t mean an enterprise
“When these cloud providers tout that they’re PCI compliant, there’s a perception that people will inherit compliance if they become a tenant,” said Joshua Corman, research director of the enterprise security practice at The 451 Group. “This is not true. Only a tenant can be compliant.”
For example, part of PCI compliance is reviewing logs on a daily basis, he said. A cloud provider like Amazon isn’t going to do that, “so you could have everything handed to you and if you aren’t reviewing your logs daily, then you aren’t compliant. You can’t magically inherit compliance,” Corman said.
Among the cloud providers saying they’re PCI DSS compliant is cloud heavyweight Amazon, which announced in December that its cloud computing platform, Amazon Web Services, was validated as compliant with PCI DSS version 2 by an independent Quality Security Assessor. Four months earlier, Verizon said its Computing as a Service (CaaS) was validated as PCI DSS compliant.
Cloud providers and PCI DSS
When cloud providers say they’re PCI DSS compliant, it means they’ve been validated against specific PCI requirements, Corman said. In the case of an Amazon EC2 customer, the client would be responsible for PCI requirements above the hypervisor. “Some PCI requirements will be in the span of Amazon’s control and some will be in the span of control of the tenant,” he said.
Ed Moyle, a senior security strategist with Savvis and a founding partner of SecurityCurve, agreed. Organizations “need to evaluate what the vendor is saying about their compliance and fold that in to their own usage of that vendor,” he said. “Keep in mind that the organization itself is still responsible for full compliance of the CDE (cardholder data environment) -- and only a part of that CDE might intersect a service provider.”
“Understand that a certified vendor is a strategy toward overall compliance and not a panacea in and of itself,” he added.
Michael Clark, enterprise cloud security and networking product manager at Verizon, said it’s important for customers to understand that they don’t inherit PCI compliance because of Verizon’s status. The only way a customer could become automatically compliant would be if a PCI-compliant cloud provider “actually managed all the way up the application stack and had a SaaS offering that’s specific around one application that does a specific function,” he said.
He agreed with Corman’s description of being a “PCI-ready platform.” Verizon makes it clear to customers what it does and doesn’t provide for PCI and offers guidance to help them understand their PCI obligations, Clark said.
The process for Verizon’s CaaS achieving compliance with PCI DSS 1.2 was nearly a year-long process that included documentation for operations like patch management and change management, installation of protections like intrusion detection, and a comprehensive review by a QSA. “We had to purposefully build the architecture so we could ensure we’d be compliant,” Clark said. “We had to ensure every single customer, whether they’re on physical or virtual servers, had the same level of security and separation.” Compliance also requires quarterly scans and for certain customers, the ability to provide onsite audits, he added.
PCI DSS and virtualization
But adding to PCI cloud compliance complexity, Corman said, is how the latest version of PCI DSS remains light on virtualization guidance, leading to confusion among QSAs. “You add gasoline to that fire when you talk cloud and shared responsibilities,” he said.
“It’s not impossible to be compliant in the cloud,” Corman said. “But it is very hard and confusing.”
Verizon’s Clark said, “The way the industry and PCI are moving and QSAs are educated, we’re not at that golden moment where everyone understands the cloud. To many, it’s still very vague. We try to bring to customers facts, information, documentation and guidance … so they can get obtain their own compliancy.”
Troy Leach, chief standards architect at the PCI Security Standards Council said in an email that the same PCI DSS requirements apply to a cloud provider with environments that store, process or transmit cardholder data as other environments that handle cardholder data.
“Where cloud solutions and virtualization technologies are in use, the questions are about how to implement these technologies in a PCI DSS compliant manner rather than about which requirements apply,” he said.
Leach noted that the council is working with the virtualization Special Interest Group (SIG) to clarify virtualization as it relates to PCI DSS compliance and expects to publish a guidance whitepaper this year.
The danger Corman sees is that companies are equating PCI compliance with security. Smaller hosting providers are becoming PCI DSS compliant despite having no intention of handling card data “just to say they’re more secure than others,” Corman said.
“By no means should we confuse PCI with security,” he said. “It’s a minimum standard meant to raise the bar for the negligent ones who have done nothing.”