PCI DSS compliance in the cloud

The PCI Security Standards Council – a global industry standards body managing PCI DSS – has announced the start of Phase Two of the standards development lifecycle.

The PCI DSS standard was initially created to help organisations who process card payments prevent credit card fraud, but a common perception is that the majority of UK merchants and companies have not yet started the process of becoming PCI DSS compliant, and are still unsure of what is required of them.

This issue is compounded by the fact that many businesses have begun to take advantage of the flexibility, scalability and cost benefits of utilising managed IT services from cloud computing providers, meaning that some (or all) data is stored off-premise in professionally run and secured data centres.

This article will explore the issues facing merchants using hosted services when seeking advice on PCI DSS compliance in the cloud.

Confused Merchants & QSAs

In order to become PCI DSS compliant, companies have to liaise with a Qualified Security Assessor, (“QSA”) approved by the payment card industry. The QSA will assess the company’s payment processes and IT infrastructure, based upon a list of criteria laid down by the payment card industry. Leading PCI players, VISA and MasterCard, have been the main drivers behind the standard and in partnership with carriers such as Barclaycard have been setting up criteria for merchants and retailers.

Merchants and organisations that are found to be in breach of PCI DSS face hefty fines and revocation of their ability to process card payments. Early last year, we contacted a number of Qualified Security Assessors to try and clarify the position for PCI DSS compliant companies that are using cloud based services. Worryingly, we found no consensus on whether compliance can be achieved if a company’s service provider is not compliant.

Ideally, merchants should be able to seek PCI DSS advice from their QSA to ensure that they are compliant regardless of whether or not they choose to use hosted services. However, our research with twelve different QSAs revealed that there is confusion even among the experts as to whether a merchant can be PCI DSS compliant if their hosted infrastructure is not. All of the QSAs confirmed that they required further guidance and advice on PCI DSS compliance in the cloud.

Should Hosted Services be Compliant?

The European Network and Information Security Agency report in November 2009 raised doubts about whether merchants could achieve PCI DSS compliance if they used services from third party hosting providers if those services are not themselves compliant.

The report states (pg 29): “Certain organisations migrating to the cloud have made considerable investments in achieving certification either for competitive advantage or to meet industry standards or regulatory requirements (e.g. PCI DSS). This investment may be put at risk by a migration to the cloud if the cloud provider cannot provide evidence of their own compliance to the relevant requirements”.2

Worryingly, some QSAs believed that a merchant can be compliant even if its service provider is not. However, this is not the view of Barclaycard, which insists that any third party service provisioned to the merchant must also be PCI DSS compliant.

Neira Jones, Head of Payment Security at Barclaycard says, “Merchants who are using non-compliant hosted services pose a risk if those services are not compliant with PCI DSS standards. As an acquirer, one of our main areas of focus for 2010 will be to encourage merchants who are presently using non-compliant service providers to move to a service provider whose services already meet the required standards.”

Better QSA Advice Required for Merchants

When considering utilising services managed by a cloud computing service provider, merchants should be engaging with their QSA to understand how their payment processing environment will be impacted. However, if the QSAs themselves are unclear on the stipulations, merchants could be given conflicting advice. Should a merchant select a provider that does not have the required level of compliance they risk the wrath of the Security Standards Council. More clarification is needed – not only for the merchants, but also for the QSAs.

At the same time, the Payment Application Data Security Standard, or “PA-DSS”, was created by the Payment Card Industry to provide a standard for software vendors that are deploying payment applications to their customers.

While a number of the UK’s largest retailers make use of cloud providers for an array of hosted services, one question looms: As data is not held on retailers’ premises, who technically is responsible for securing the data? Should the merchant accept full responsibility because they’re the ones obtaining the data in the first place, or should the cloud provider bear the cross and become PCI DSS compliant themselves?

Compliance in the Cloud

Cloud computing offers UK SMEs a great opportunity to be more competitive by accessing the latest technologies without exposing the business to the large financial and operational risk normally associated when implementing IT systems in-house. However, simply choosing a compliant service provider does not automatically make a business compliant.

Mr Jan Fry, head of PCI compliance at ProCheckUp, a PCI Approved Scanning Vendor and QSA that provides network scanning and penetration testing for merchants, believes that reaching PCI compliance using a cloud provider needs to be looked at in terms of the individual environments on a case by case basis.

He commented, “If you’re encrypting the data held in the cloud then you may still meet the required PCI DSS standards, it would depend on segmentation and encryption procedures in use. I’d also advise that any provider that is reluctant to let anyone on site to check out their facility that should be a warning sign.”

Surprisingly, QSAs are not giving any guidance when dealing with retailers making use of managed services, as no standard has been drafted and implemented. Due to all the different requirements and criteria that businesses have to meet to achieve compliance, it seems that QSAs are left to their own interpretation of the rules and which requirements take priority.

What is becoming increasingly understood, is that merchants themselves are ultimately responsible for the security of their customer data, regardless of whether it is hosted in a third party data centre or from their own on-premise facilities, and a breach could result in them losing their ability to process credit card payments.

Having achieved the PCI DSS accreditation for several of my company’s hosted services, I understand the process of achieving compliance. I have also experienced firsthand the conflicting advice being provided by QSAs. I call on the payment card industry to clarify exactly what needs to be done to ensure that QSAs are clear and consistent on how PCI DSS can be achieved in the cloud so that merchants can continue to benefit from the flexibility and scalability of taking services from the cloud, without fear of falling foul of the PCI.

Martino Corbelli is Marketing Director of Star.