Skip to main content

Credit Cards in the Cloud: Does PCI DSS 2.0 Mean the Storm is Over?

The debate over achieving compliance with Payment Card Industry (PCI) Data Security Standard (DSS) on cloud computing platforms has become a barrier to migration to more efficient cloud-based IT infrastructure for many organisations. Hopes that the release of the latest version of the standard, PCI DSS 2.0, on the 28th of October would provide specific direction on cloud computing have been unfulfilled.

Despite significant changes in the new standard, including recognition of virtual components in cardholder data environments, PCI still does not provide definitive guidance on some key issues. The big question left hanging is whether in multi-tenant cloud it is permissible to run PCI-compliant guest VMs on the same hypervisor as guest VMs that are not PCI compliant.

PCI leaves it to auditors to decide whether the controls enacted for mixed-mode operation comply. Auditors, who can no longer see physical separation of application tiers, test separate servers or readily prove that VLANs are truly isolated. The main audit bodies are split on this issue, with some refusing to certify these virtual, so-called mixed-mode operations.

Getting PCI certified on a cloud platform

PCI sets relatively simple minimum thresholds; it does not guarantee system security. So the first step to compliance is to build securely, using for example ISO27001/2 principles. The tweaks required to achieve compliance with PCI and other industry requirements can then be layered on. With secure fundamental design, compliance should require little additional work.

Engage early with your preferred auditors. Establish their viewpoint on mixed-mode – if they want physical separation of PCI applications, then private cloud will be the only option with that auditor.

Finally, as you progress your project, ask your auditor to review a potential service provider’s controls before you commit to contracts.

If best practices are followed, we believe that cloud computing can play a significant role in helping to achieve an efficient and flexible PCI-compliant environment.

Chris Richter is Level 3’s senior vice president of Global Security Services with responsibility for the company’s Global Managed and Professional Security Services line of business. With 30 years of experience in IT, Chris has held a number of leadership positions in managed security, IT consulting and sales with several technology product and services organizations. He served most recently as vice president of Managed Security Services at CenturyLink.