If you are using cloud computing technology in some form, the recent Payment Card Industry Data Security Standard guidelines released should be major news for you. While it is only targeted towards organizations who are already using the technology as a big part of their cardholder data environment (CDE), the guidelines have far reaching consequences that will affect nearly every cloud user, since PCI DSS is bound to influence cloud security standards even on non CDE environments.
Why Should You Care?
PCI DSS outlines the responsibilities of cloud service providers, in order to protect the cloud users, but as with any existing PCI standard, the main responsibility for compliance still rests on the manager of the CDE, which means you still need to be responsible for compliance even as an end user.
PCI DSS Requirements for Cloud Computing
The Payment Card Industry Data Security Standard aims to improve the security of credit, debit, and cash card transactions while also protecting cardholders against the misuse of their personal info, in the unlikely event that it falls in the hands of other individuals. PCI DSS was jointly created by four major credit card companies, namely MasterCard, Visa, AMEX, and Discover.
PCI DSS consists mainly of 6 objectives, such as:
Transactions Must Be Conducted on a Properly Maintained and Secure Network – this requirements emphasize the need for security measures, such as robust firewalls and data encryption that are very effective in blocking intruders without causing undue inconvenience on the part of the cardholders or vendors. Additionally, the PINs and Passwords should not involve default samples provided by the vendors. The codes must come from the customers, and they should be allowed to change or modify it as much and as frequently as they want.
Information of the Cardholder Must Be Protected Wherever It Is Stored – any piece of information gathered from the card holder, such as date of birth, mother’s maiden name, phone number, or even mailing address, should be kept secure against any form of hacking, eavesdropping, or unauthorized access. Even when the data is transmitted through public networks, it should be protected effectively, via digital encryption or something equivalent.
Systems Involved Must Always Be Protected By Safety Measures and Vigilance – any form of vulnerability, exploit, or loophole must be addressed in a system through the use of frequently updated anti virus software, anti malware suites, and anti spyware tools. All applications must be properly patched if there are bugs and vulnerabilities, and any patches offered by OS and software vendors should be regularly installed in order to provide the best security for cardholder data.
Access to the System Information and its Operations Should Be Restricted – cardholders should not be forced to provide information to businesses unless said businesses unequivocally needs said information in order to effectively complete a transaction and/or protect themselves. Additionally, every single person in the system must be responsible for their own access, which consist of a unique and confidential identification name or number. The cardholder’s data should be protected both electronically and physically. For instance, it is not enough to ensure the safety via software. Tools such as document shredders, locks, and chains can also be employed in order to ensure that the data is protected even in hardcopy.
Networks must be in constant quality control – this will ensure that all security measures and best practice policies are in place and functioning properly, not to mention kept up to date. This also ensures that no random problems with the hardware (e.g. hard drive crash and rollback resetting the password to an earlier one) will leave the cardholder’s data in danger of being compromised, and it will also protect against the data being lost due to hardware failure.
Formal Information Security Policy Must Be Clear and Well Defined, Maintained, and Followed by All Participating Entities – audits must be regularly conducted in order to ensure that security policies in place are well maintained and followed. Penalties must be enacted for non-compliance, should the situation deem it necessary.
Complaints from ‘Would Be Adopters’
While PCI DSS is well meaning, and experts themselves agree that it helps clarify how data can live safely in the cloud, there are still doubts and worries that the set of guidelines could confuse or even scare people away from fully embracing the technology.
According to Chris Steffen, who is the principal technical architect at Kroll Factual Data (see the full article in SearchCloudComputing here), PCI DSS could lead people to believe that migrating to the cloud is fraught with danger, despite cloud technology itself being a form of distributed computing that has yet to be standardized.
In Steffen’s report, PCI DSS effectively arrives at the conclusion that the most effective way to keep credit card holder data safe and out of scope of attacks is by storing it out of the cloud. These conclusions have the very real danger of scaring away inexperienced cloud computing users and their auditors, or worse, could lead to some auditors devising and implementing unnecessarily draconian policies with the intention of protecting card holder data.
Steffen adds that users just need to balance usability with reason, when it comes to computer security. Because you can take a computer off the network, encrypt every single file, and protect it with quadruple factor authentication, but it’s still going to be only as secure as the person who’s using it.
Lastly, many experts believe that PCI DSS only serves to muddle up the accountability and responsibility between cloud computing users and cloud service providers, especially since a number of the requirements address issues that were already common knowledge (e.g. the requirement about physical access to cardholder data be restricted and monitored), but the ambiguity of the wordings could result in confusing people on who’s ultimately responsible for the data – when cardholder data gets loose, who will be sued and/or arrested? PCI DSS fails to clarify this case, which is understandable considering that it will depend on where the case occurred and the location’s specific laws and policies regarding data safety and privacy.