PCI Compliance Hosting in the Cloud

by Alex Taylor
(Chicago, IL, USA)

Without a doubt, a cloud computing environment poses a new set of security challenges. PCI compliance hosting is still possible while using the cloud. A cloud center can become PCI compliant just like any other data center by complying with the set of 12 requirements that represents best practices to protect customer payment data, including regular security updates, firewalls, physical access restrictions, encryption, tracking and testing. The cloud can be a more secure platform than even an internal data center alternative. However, it depends on the choice of cloud and the security processes provided by the cloud provider.

Cloud has been a great attraction ever since its inception and typically offers numerous advantages, including lower capital expenditures, reduced maintenance requirements. However, when opting for a cloud computing platform, it is essential to ensure that the cloud provider is PCI compliant. The burden of PCI compliance lies on the cloud provider, which is responsible for assessment and controls of the environment’s compliance. When searching for a PCI web hosting provider, merchants must review the controls that are in place to meet the requirements, what is not covered, what is included in the scope of their assessment, and what is their own responsibility as a merchant.

Why Choose PCI Cloud Hosting?

Cloud computing is a fast evolving use of virtualization, offering computing resources as a service. Since cloud-based service offerings are delivered from a cluster of connected systems, risk of security breach remains high. However, with PCI compliance hosting, a cloud provider is able to demonstrate a high level of trustworthy security to its clients. PCI DSS demands a rigorous set of technology to ensure safety of credit card transactions, including encryption of passwords, data and logging and audit controls.

• Identify which PCI DSS requirements, services, and system components are covered by the PCI DSS compliance program of the cloud provider.
• Try to identify any aspects of the PCI web hosting service, PCI DSS requirements, and system components that are not covered by the cloud provider. These must be clearly documented in the service agreement that these aspects are the responsibility of the hosted entity or merchant.

The cloud provider should have sufficient evidence to demonstrate that all processes are PCI DSS compliant. The use of cloud computing comes with a number of unique scoping challenges, which require thorough understanding of the services being offered and detailed assessment of the risks associated with each service. Some of these challenges include:

• Public cloud environments allow access to the environment from all over the Internet.
• Cloud’s distributed architecture has layers of technology and complexity added to the environment.
• The infrastructure is dynamic and the tenant environment boundaries may be fluid.
• The hosted entity has limited visibility over infrastructural security controls, cardholder data storage.
• The hosted entity lacks awareness about the potential risks posed by their hosted neighbors to the data stores, host system, and resources shared across the environment.

The cloud provider must present ample evidence of PCI compliance hosting before their hosted clients, clearly indicating all that is included in the scope of their PCI DSS assessment, customer’s responsibility, controls that not covered, details of which PCI requirements are in place, and confirmation of when the last report on PCI compliance assessment was conducted.