PCI Compliance and public cloud don’t mix
IT security consultants Pure Hacking are warning that organisations relying on public cloud computing solutions for the storage and processing of credit card data faced an increasing conflict when achieving PCI compliance.
The challenges of transparency and independent verification of compliance standards are two major issues which organisations need to address prior to moving credit card storage and transaction facilities to a public cloud.
The security consultancy believes that many organisations should consider the primary cost-saving benefits of moving to public cloud infrastructure for daily operations but retain the security of credit card transactions across a secure server or third party processor.
“Solely relying on public cloud computing systems for processing credit card information and transactions is literally a game of probability and risk. In the end the likelihood of an attack against a public cloud that holds such high value information is extremely probable. The security posture of your public cloud vendor against such attacks is key to your ability to protect your client’s data privacy and business functionality,” said Ty Miller, CTO, Pure Hacking.
The fundamental issue around compliance for PCI in a public cloud is the third party model for cloud computing infrastructure. Organisations externalise their information to the cloud and it may be extremely difficult to assess and validate the PCI compliance levels of the individual cloud provider. In reality some public clouds may not provide adequate security controls to meet compliance standards.
Miller continued, “The incidence of malicious attacks on public cloud services is on the rise. Credit card information, plus the identifiable data that is used to verify that credit card is both a valuable and attractive target. If you can achieve the full identity of the card holder or thousands of card holders in an attack, the hacker has increased the profitability level of the attack. This is a valid security concern for those organisations that rely on credit card transactions to successfully stay in business or on PCI protocols when they are considering a move to a public cloud.
Pure Hacking has also outlined that the costs of securing an organisation with PCI compliance requirements, whether a component of that business operation is in the cloud or not, is extremely effective when the appropriate level of security controls are implemented.
“When organisations that have suffered data attacks for their credit card information plan and implement strategies to achieve and secure their PCI compliant transaction information, they maintain successful and potentially more profitable operations,” he concluded.
Recommendations for achieving PCI compliance in a public cloud:
be aware of the visibility of PCI compliance from your cloud vendor. It is not enough to rely on a marketing document. Cloud vendors may know that they are not PCI compliant and may be relying on your trust
establish whether the public cloud vendor is PCI compliant and whether a PCI compliant environment can be established within that cloud
assess your budget requirements for testing your PCI compliance and the security of your customer’s credit card data and ensure that you allocate the appropriate level of focus and investment in meeting compliance requirements
understand that if you move your business to a public cloud and then choose to remove credit card-related facilities from the cloud, this may be costly. It is more cost effective to assess the potential compliance impact prior to the initial move to a