Cloud Business

Cloud Business Featured Article

PCI Security Standards Council Publishes Cloud Computing Guidelines Supplement

In an effort to help financial-based businesses choose the right cloud-based services and cloud providers, the PCI (News - Alert) Security Standards Council (PCI SSC) has published the PCI DSS Cloud Computing Guidelines Information Supplement.

The resource is designed to help businesses choose solutions and third-party cloud providers that will help them secure their customer payment data and support PCI DSS compliance (payment card industry data security standard). PCI DSS is an evolving set of security requirement designed specifically for the storage, process or transmitting of cardholder data that businesses even outside the payment card industry are deploying to meet a range of industry requirements.

One of the greatest assets of cloud computing is its shared-responsibility model, however, this shared model can magnify the difficulties of architecting a secure computing environment, according to Chris Brenton, a PCI Cloud SIG contributor and director of security for CloudPassage (News - Alert).

“One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer,” Brenton said in a statement. “With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud.”??

PCI participating organizations selected cloud computing as a key area to address via the SIG process. PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs. ??

More than 100 global organizations representing banks, merchants, security assessors and technology vendors collaborated on the supplement to help companies identify and address the security challenges for different cloud architectures and models, and understand their PCI DSS responsibilities. ??

The PCI DSS Cloud Computing Guidelines Information Supplement is a sequel to the 2011 Virtualization SIG, and takes into consideration other industry standards to provide guidance around the following primary areas and objectives:? 

Cloud Overview – provides explanation of common deployment and service models for cloud environments, including how implementations may vary within the different types.

Cloud Provider/Cloud Customer Relationships– outlines different roles and responsibilities across the different cloud models and guidance on how to determine and document these responsibilities.

PCI DSS Considerations – provides guidance and examples to help determine responsibilities for individual PCI DSS requirements, and includes segmentation and scoping considerations.

PCI DSS Compliance Challenges- describes some of the challenges associated with validating PCI DSS compliance in a cloud environment.

Organizations that fail to protect their consumer credit card data face serious repercussions including lawsuits and fines, but outsourcing the right provider allows businesses to achieve and maintain compliance while controlling costs.