People love to talk about Cloud and they love to talk about PCI. In the past two years the mashup of a PCI Compliant Cloud has been on the forefront of many peoples’ mind.  This post will outline the three key rules of [PCI] Compliance in the Cloud.  To introduce these rules, I’ll ask the question, “can any firewall be used to segment a network?”  The answer is a resounding “No. Only a properly configured firewall can be used to segment a network.”  In the same say, “Can any Cloud be PCI compliant?” By now you should be saying, “No. Only a properly configured Cloud can be deemed PCI compliant.”

3 Rules of Cloud Compliance

1. Compliance is based on the service being delivered, thus we cannot compare PCI-compliant-cloud to PCI-compliant-cloud until we compare the service levels.  Much like a SAS-70 (third-party assessment of a service provider) that only assesses the “control objectives” as defined by the service provider, saying one is PCI compliant in the cloud is situationally dependent on the control objectives or service levels being offered/assessed.

Even if we examine, Infrastructure as a Service (IaaS) the level to which one is validated as compliant is only that which the service offering delivers.  Depending on the level of service the IaaS provider offers may determine the level of effort remaining for the customer to be fully PCI compliant.  For example, the following are three different levels of service offered by hypothetical IaaS Cloud providers:

  • A base operating system – in which case the customer must configure it securely according to PCI DSS Requirements 1-8 and 10-12. In addition they may require an independent PCI assessment.
  • A hardened operating system and managed security services – in which case the customer must secure the data and manage security alerts according to PCI DSS Requirement 3 and parts of 10 and 11. In addition they may require an independent PCI assessment.
  • A hardened operating system, managed security services, and professional service offerings – in which case the customer must verify the outsourced team has properly secured the data, manages security alerts, and performs an annual PCI DSS assessment of the client’s environment.

If you are interested in a good description of service delineation for PCI compliance, check out this example coverage summary table. It clearly shows what they do and what their customers must do to achieve PCI compliance.

2. Compliance is only as strong as the security of the implementation.  (See also: the opening paragraph of this post.)  People love to hate PCI Compliance in the Cloud.  They say it’s not possible.  They ask about multi-tennancy.  They say many things, but at the end of the day if you can secure data in the cloud then you can be compliant in the cloud. It may not be the way you want to configure your systems, and not every implementation can be found compliant, but it’s possible.

The end result is that, YES, you can be PCI compliant in the Cloud – it just depends on how you’ve secured the configuration.

3. PCI compliance for a company is based on their individual compliance plus that of any outsourced vendors.  Migrating to a PCI compliant Cloud vendor will not magically make your entire enterprise PCI compliant. It will not obviate you of your PCI responsibility.  At a minimum, all organizations that use their own merchant ID must comply with PCI DSS Requirement 12.8, which states that organizations must verify proper third-party contracts exist with their cloud vendors and to check the annual PCI validation of their cloud provider.

PCI compliant Clouds can only enable compliance, they will not make you fully compliant.

Notes

In 2008, Chris Hoff asked on his blog if a very specific implementation of Cloud could be PCI compliant.  He received a variety of answers that ultimately pointed to Rule #2.  Although not every cloud may be PCI compliant, there are implementations that can (and have) validate as compliant.

In 2009, Martin McKeay blogged in response to verbiage from Amazon EC2’s PCI compliance statement that one cannot be compliant in that cloud. I actually think Amazon did the right thing by directing users to only accept payments via their Flexible Payment Solution (FPS).  Instead of trying to educate the millions of end users on how to secure their systems and achieve PCI compliance, Amazon make it simple by telling them to direct payment acceptance to a single, secured system.

In 2010, I updated a my 2009 SOURCEBoston presentation on PCI Compliance in the Cloud to discuss if PCI Compliance will Help or Hurt Migration to the Cloud.  This webcast clearly states that, YES, you can be PCI compliant in a cloud environment, just not in every cloud.

I’ve also done two podcasts on PCI Compliance in the Cloud.  One in 2008 and another in 2009.