PCI SSC releases cloud computing security guidelines

February 27, 2013

The PCI Security Standards Council (PCI SSC) has looked to clear up confusion surrounding the emergence of cloud computing by releasing a set of guidelines regarding the safe usage of this technology earlier this month.

In a statement released earlier this month, the PCI SSC – which is the authority behind the Payment Card Industry Data Security Standard (PCI DSS) – explained that businesses would be able to use this resource as a guide for selecting safe cloud solutions and cloud providers.

It is hoped that the guidelines will allow businesses to maximise vulnerability management when processing and storing customer information using the cloud.

The document – which can be downloaded from the PCI SSC documents library here – first provides an overview of the deployment and service models of the cloud.

It then outlines the different responsibilities which cloud providers and cloud customers have, before offering guidance as to how to maintain PCI DSS compliance when using the cloud.

Finally, it outlines the various security considerations which must be taken into account when utilising cloud technology.

PCI Cloud SIG contributor and director of security for CloudPassage Chris Brenton says that while the shared-responsibility model of cloud computing is one of its biggest assets, it can also make ensuring ongoing security difficult for all parties.

"One of this supplement’s greatest achievements is that it clearly defines the security responsibilities of the cloud provider and the cloud customer," said Mr Brenton in a statement released February 7.

"With PCI DSS as the foundation, this guidance provides an excellent roadmap to crafting a secure posture in both private and public cloud."

General manager of the PCI Security Standards Council Bob Russo also expressed that he was pleased to see this important document come to fruition.

"At the council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data," said Mr Russo.

The report is the result of the work done by a Special Interest Group which was formed in 2011 by the PCI SSC in order to tackle cloud security.

Currently, Special Interest Groups are working on preparing reports on "Third Party Security Assurance" and "Best Practices for Maintaining PCI DSS Compliance", which will be released in late 2013 and 2014, respectively.

Leave a Reply

Your email address will not be published. Required fields are marked *