Cloud computing services require special attention in regards to information security and privacy. This is especially important when using credit card data while cloud computing in order to meet PCI-DSS ("Payment Card Industry – Data Security Standard") standards. To this end, the SSC ("Standard Security Council") published a document entitled “Information Supplement: PCI DSS Cloud Computing Guidelines” on payment operation guidelines in cloud environments. This guide includes:
- a cloud computing overview;
- the relationships between cloud providers (CSP-"Cloud Service Provider") and their customers, as well as the roles and responsibilities for each;
- PCI-DSS considerations and requirements, such as scope;
- PCI-DSS compliance challenges;
- other security aspects.
It is important to understand that responsibilities are shared between cloud providers and their customers. However, customers are under the obligation of ensuring that their cardholders’ data is properly protected. The document also stipulates that the easiest way to minimize scope of PCI-DSS compliance in a cloud environment is by:
- Not saving or processing payment card data through cloud computing;
- Establishing a physical infrastructure dedicated to the cloud environment;
- Minimizing supplier dependence in regards to the protection of credit card data.
Several challenges are also discussed, such as the identification of components involved in scope, specific PCI-DSS control responsibilities, evaluating distributed environments and their complexity, the precise location of the data, the people who can access it, etc.
Prior to using credit card data in a cloud environment, it is important to understand the different matters discussed in this guide and to adequately assess risks.
For more information, in addition to this guide, please view the following article:
By Patrick Paradis, Information security advisor