Digital Transactions Authoritative, insightful and timely information for payments professionals
Merchants that think by hiring a cloud-based provider to handle their payment card security tasks they’ll never have to worry again about protecting card data had better think twice, according to the PCI Security Standards Council.
“Just because people outsource to a cloud service provider, they’re not done,” says Bob Russo, general manager of the Wakefield, Mass.-based PCI Council, which administers the main Payment Card Industry data-security standard and two related standards.
The Council last week issued guidance on how merchants and payment processors should deal with card security at a time when businesses are increasingly turning to the cloud to handle data-management functions through the Internet. The 50-page document covers everything from provider-client relationships to the nitty-gritty of PCI considerations and compliance problems to related security issues.
Cloud computing itself is a term that has no standard definition, the PCI Council notes. Prominent technology consulting and research firm Gartner Inc. defines it on a high level as “a style of computing in which scalable and elastic IT [information-technology]-enabled capabilities are delivered as a service using Internet technologies.”
In recent years, cloud-services providers (CSPs) have sprung up to handle payment card data-protection tasks for merchants by placing the card information on their servers rather than a merchant’s. A CSP can be a speciality technology provider, a big computer-services provider for retailers such as Amazon.com Inc., or an independent sales organization or merchant processor, says Chris Brenton, director of security for CloudPassage Inc., a San Francisco-based cloud- technology provider. He’s also one of about 100 members of the so-called special interest group that developed the new cloud guidelines for the PCI Council.
Cloud-based security systems can indeed reduce the merchant’s burden in meeting the PCI standard, which with 12 major requirements and more than 200 specific rules are the set of commandments merchants love to hate. But the fact that in a cloud-based environment card data are seemingly out of the merchant’s sight on someone else’s servers can lull merchants into erroneously thinking that they no longer have PCI responsibilities, according to Russo and Brenton.
The document notes that cloud computing has three main divisions, depending on the degree to which the client’s computing needs are handled by the CSP: Infrastructure as a Service (IaaS), the least; Platform as a Service (PaaS), and Software as a Service (SaaS), the most. With IaaS, the CSP is solely responsible for only one of the 12 major PCI requirements and the client is solely responsible for two, while both entities share responsibility for the other nine. With an SaaS model, the CSP takes responsibility for eight areas but still shares responsibility with the client for the other four.
“This is truly a shared responsibility,” says Brenton. “You can’t achieve PCI [compliance] by signing up with a specific provider, there’s always going to be some work you do yourself.”
PCI Council chief technology officer Troy Leach notes that “many of the risks are the same” when it comes to protecting card data via the cloud or through the merchant’s own computer system. By moving to cloud-based data protection, merchants actually have an added responsibility to vet the CSP because “there’s a lot more dependence on a third party and having trust in that third party,” he says.
Brenton likens the switch to cloud computing to the switch by businesses from mainframe and mini-computers to PCs, and the later switch from PCs to laptops. “The server is now a mobile entity,” he says. In fact, dozens or more so-called virtual servers handling different tasks can reside on one physical server.
The new cloud guidelines build on the PCI Council’s 2011 guidance for virtualization, which addresses the abstraction of computing resources from physical constraints. “For the most part, this is just an extension of the virtualization work we did,” says Leach. “They’re very compatible.”
