PCI Compliance in the Cloud: Hazards in the Fog

by Pam Baker

Off-loading PCI compliance to cloud providers isn't as simple as you might hope. Here's what small business owners need to know to ensure compliance and avoid serious penalties.

Handling credit cards is serious business made all the more so by the regulations and subsequent penalties for failing to comply with Payment Card Industry (PCI) standards. But meeting those standards can be a bit tricky, as we learned in A Small Business Guide to PCI Compliance.

There are numerous PCI-DSS security standards itemized and defined on the official PCI Security Standards Council website that must be met but, hey, why not take the easy way out and just turn the whole thing over to a cloud provider? Just wash your hands of the confusing situation and walk away happy, right?

Not so fast. It turns out that not all cloud providers are created equal, at least not in terms of PCI compliance. Nor are cloud providers necessarily wrong in claiming PCI compliance even when that claim still leaves your company in noncompliance.

When a cloud provider says it was tested and found to be PCI compliant it is likely making an accurate claim. The problem is that a cloud provider can specify what portion of its product or service is to be tested for compliance. And while that portion may indeed pass the test, that doesn't mean the entire offering is PCI compliant. Therefore, a claim that a cloud provider is PCI compliant really doesn't tell you much in itself. You need more information.

To complicate things further, PCI compliance requires a holistic approach to credit card security, which means you still have to guard your customer's credit card info within your operations even if you are using a PCI compliant cloud provider to handle the actual processing.  

Bottom line, you need to look past the labeling and the marketing claims and find out exactly what "PCI compliant" means both to the cloud provider and in the eyes of the law -- before you find yourself explaining to the authorities what went wrong. 

Cloud PCI Compliance Does Not a Compliant Merchant Make

So, you checked out everything with that cloud provider, and you found they're on the up and up regarding PCI compliance. So, everything's good, right? No, not necessarily.

"PCI compliance is additive meaning that it's a combination of the merchant's compliance, plus their service provider's compliance, plus the compliance of any payment applications they use," says Mike Dahn, a data security specialist. "Think of it like a stack or a sandwich.  You add one part on to the other to make the whole."

In other words, just because one part of that stack, such as your cloud provider, is PCI compliant doesn't mean the rest of the stack is. It's the level of security compliance completion on each and every layer of that stack that defines whether or not you are PCI compliant in the eyes of the law.

"Be careful when a vendor says this makes you PCI compliant," advises Matt Malone, a consultant at ASSERO Security.  "It makes the small piece they handle compliant, but the small business often overlooks its part in PCI, such as employee awareness training, security policy, and testing."

Certainly any breach that happens on the ground isn't covered under your agreement with the cloud provider. "The largest risks are not in the clouds but in the trash cans and in employee theft," says Malone.

You must make sure that customer credit card information is not easily accessed or stolen by employees or tossed in the trash for thieves to mine. PCI compliance means that the customer's credit card information must be protected throughout the entire purchasing process.

Matching Labels Do Not Mean Matching Results

As already mentioned, PCI compliance testing is not uniform, and therefore PCI compliant labels are not uniform in meaning either. The label can actually refer to a variety of very different things.  

"This makes some cloud implementations very hard to both compare and to measure," says Dahn.

He says this particular prickly patch is all too familiar to accountants and auditors who incur a similar dissonance in an SSA 16 or SAS-70 report, wherein the service provider defines what "control objectives" they wish the auditor to test. This means no two audits are the same even if the end scores appear to make them equal.

This same confusing methodology applies to PCI compliance.

"This means that I could hire a PCI QSA to assess my 'IaaS cloud' with just a base operating system with no security services provided. Although the customer can enable security services, such is not part of the test," says Dahn.  "The cloud provider could get listed as a PCI compliant service provider 'based on the service being offered/assessed.'"

"Another IaaS cloud provider could submit the same [base operating system] plus file-integrity monitoring installed to be tested," says Dahn. "It, too, would get assessed and listed alongside the first [provider] ‘based on the service being offered/assessed.'"

Obviously the two vendors tested in this scenario are not equal nor are their claims of PCI compliance even though both are technically compliant. Ultimately, this disparity means you cannot easily compare PCI compliant claims between two or more cloud providers. 

The quickest way to get to the bottom of this problem is to ask cloud providers to precisely itemize what "service being offered/assessed" passed the PCI compliance testing. Make sure you understand the answer fully and ask more questions as needed until you do.

"I advise individuals to create a list of all PCI DSS requirements, and then ask the service provider to mark which applies under one of three columns," says Dahn.

Those three columns are:

  1. Service-provider managed
  2. Client/customer managed
  3. Co-managed

Bottom line: The claim of PCI compliance alone doesn't tell you much. Get the details on what portion(s) of the vendor's offering was actually tested and deemed compliant. Make sure you understand the answers and what those answers mean in regards to what else you must do to be fully PCI compliant.  

"It is the business owner who accepts the risks and signs off on PCI acknowledgement not the cloud provider," warns Malone. "So whether you choose cloud or traditional [PCI compliance], you must know all the risks."

Top 3 Signs Your Cloud Provider Doesn't Understand PCI

Sometimes cloud providers don't understand what PCI compliance really means, or what it means beyond their own responsibility. Below are common warning flags that a cloud provider isn't up to speed on what true PCI compliance means.

If you see any of these top three signs in particular, dig deeper for the facts on what is actually being provided, and what else you'll need to do outside of that vendor relationship, before you sign up with that vendor.

1. The provider claims it can do everything for you.

"If your provider says they have a 100 percent PCI-DS compliant solution where they do everything and you do nothing, odds are that they cannot deliver on that promise," says Brian Raboin, vice president of Operations at Hosting.com.

2. The vendor claims it can virtualize your current physical PCI platform, move it to the cloud and remain PCI compliant.

"To that point, PCI has PCI DSS Virtualization Guidelines that need to be followed," says Raboin. "It isn't as easy as ‘move to the cloud.'" Check those guidelines closely and make sure you're meeting them all.

3. Your provider says if you are PCI certified, you are secure.

"PCI-DSS is a standard for security, not actual real-life security," explains Raboin.  "A true security provider offers security services that make sure you are secure and protected first; and in the event of breach, you are alerted, you know the vector of breach, and you can recover. PCI DSS certification is a by-product of that, not the goal. Providers that think that PCI DSS compliance is the goal are studying to pass the test, not actually protecting their customers."

Infrastructure vs. Services in Cloud PCI Compliance

One of the things you need to understand in weighing PCI compliance among cloud vendors is whether they are referring to infrastructure or services.

"When you're talking about cloud infrastructure, such as Amazon AWS or the Rackspace cloud offerings that provide PCI compliance, that's basically covering just the physical security and environment controls you need in place to be PCI compliant -- but does not make you PCI compliant in themselves," explains John Locke, manager at Freelock Computing, a Web development company specializing in the Drupal open source content-management system.

"You still have a lot of analysis work to determine whether you actually are PCI compliant -- just because you're in a compliant environment doesn't make you compliant," he says.

However, since PCI-compliant infrastructure is a pre-condition for compliance you do need that -- either in the cloud or in your own datacenter. So, which is safer in terms of compliance?

"Depending on cloud-based infrastructure for a PCI-compliant application does add a slight amount of risk in that you trust that third party with your data," says Locke. "But these providers have been audited, tested, and they've spent a lot to ensure that your data is safe. It's probably much better than a small business could afford to do."

"So all that said, if you're doing e-commerce you should still go to specialist vendors to make sure everything above that infrastructure is done right," he added.

Cloud Services and PCI Compliance

Now, if the vendor is talking about services rather than infrastructure, then that's a whole another ballgame.

"For hosted services and applications, it's a completely different matter," says Locke. "If you are using a vendor who takes credit cards directly on your behalf, you have essentially outsourced all the payment functionality, and the risk, to that vendor."

"For example, if you're going to use Square or PayPal to collect payments, you don't have to worry about PCI -- if something goes wrong with their systems, they will be held responsible, not you," he says. "Obviously you want to vet these services before making use of them, but PCI itself doesn't necessarily enter the equation."

Certainly such services are growing in popularity among small business owners, particularly the very small companies. However, the cost of such services can grow too high if you're processing a lot of payments. Still, the allure of simplicity is strong.

Vinay Sahni, founder of SupportFu, a help desk ticketing system producer for small businesses agrees. "As a startup that accepts credit cards for the purposes of recurring payments, we were able to completely circumvent PCI compliance issues by using Stripe as our payment provider," says Sahni.

"They've created amazing technology where the customer never leaves our site, but the credit card number is never sent through our infrastructure."

Pam Baker has written for numerous leading publications including, Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, the NY Times, and Knight-Ridder/McClatchy newspapers.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Friday Oct 26th 2012
Mobile Site | Full Site