PCI DSS compliance and the cloud. What you need to consider.


What you need to know about PCI DSS compliance in the cloud.

If you are a business that collects credit card payments, you must support your business model with a foundation of effective payment security. Achieving PCI DSS compliance is essential in achieving the desired level of security and governance to protect your customers’ information.

We now live in a world where increasing amounts of your confidential business information reside in the cloud, which presents its own challenges when it comes to achieving PCI DSS compliance. Here are some key PCI DSS considerations that you can’t afford to lose sight of while you protect your clients’ data in the cloud.

How does the service model you use impact your PCI controls?

The burden of maintaining payment card data security in the cloud doesn’t fall on just one party. In most deployments, it’s shared between the client organisation and their cloud service provider, or CSP, of choice.

PCI DSS guidelines apply to the software and hardware architectures that you use to store and utilise a cardholder’s data. They also govern the validation of your CSP’s infrastructure and the way you use the environments and tools it provides. For maximum efficacy, your PCI DSS controls must reflect the specifics of the cloud implementations that you apply them to.

Client-CSP models

The service-level agreement, or SLA, between you and your CSP will outline the specifics of what you can do with their cloud services. Its particulars must also guide your PCI DSS decision-making process.

Your SLA-specified deployment model impacts how much agency you have over PCI DSS and other security controls. Typical deployment infrastructures include:[1]

Private Cloud, Community Cloud, Public Cloud, Hybrid Cloud

  • Private Cloud deployments that are implemented within your corporate firewall,
  • Community Cloud deployments where you use infrastructures that are provisioned by dedicated organisations,
  • Public Cloud deployments where you use publicly accessible servers, apps and data storage maintained by a third-party, and
  • Hybrid Cloud deployments that combine two or more private, community or public approaches.

Your SLA also defines how you receive the software that you license. In most cases, your agreement will draw from the following commonplace service types:

Software as a Service, or SaaSInfrastructure as a Service, or IaaSPlatform as a Service, or PaaS

  • Software as a Service, or SaaS, models where you use the applications that your CSP provides on some form of cloud infrastructure,
  • Infrastructure as a Service, or IaaS, models where you provision network architectures to run your chosen applications, operating systems and other software, or
  • Platform as a Service, or PaaS, models where you deploy and manage your applications on a provided cloud infrastructure that you don’t control.

What are the roles and responsibilities associated with different deployment models?

Each cloud model inherently dictates who can institute specific security controls. Your responsibilities and those of your CSP will evolve and change with your deployment. The PCI Security Standards Council advises that businesses obtain SLAs that clearly lay out the compliance ground rules in advance.[2]

For instance, if you operate a private cloud deployment, then you’re going to be the only entity that can reliably provide for the security of your physical facility. If you decide to go the hybrid route by storing some data on your private cloud with the rest in a public cloud infrastructure, like Amazon AWS or Google Storage, you’ll have to leave hardware access controls and other physical security measures up to these vendors. Depending on the third-party service that you use, your CSP may also have to assume responsibility for maintaining a secure OS on the servers that host your applications.

Functional business systems incorporate many discrete layers. Cloud deployments commonly rely on third-party tools and software APIs in addition to distinct networking, storage and processing hardware. No matter what kinds of service options your CSP offers to help you stay compliant, your company’s future depends on your ability to implement exhaustive governance policies.

What should your key considerations for PCI DSS entail?

How can you create an effective, comprehensive PCI DSS governance strategy? Although your specific obligations will vary to match your SLA, service type and deployment model, you should also think about factors like:

What you’re doing with the cloud service

The way you use card data will impact your responsibilities. If you store information for just enough time to complete a transaction, for example, you may get away with simple encryption and other practices.

Providing extra features might massively expand your obligations. Suppose that you also let your consumers save payment data for subsequent purchases. PCI experts recommend not storing, processing or transmitting card information in the cloud, so you’ll have to ensure that your internal systems are secure.

The scope of the PCI DSS responsibilities that your CSP takes on

You’re not your CSP’s only client. Your providers must enforce separation between your data and other users’ information by employing some form of segmentation, such as isolated operating systems, servers or virtual machines.

Steps like installing physical firewalls, continuously logging traffic, using two-factor authentication and segmenting data stores as well as processing resources all commonly fall within the scope of CSP obligations. Nonetheless, you can still benefit from having an awareness of the steps that your CSP takes and using the knowledge to guide your own controls.

The validation mechanisms that tour CSP implements

Validation and PCI DSS compliance go hand-in-hand. Before signing an SLA with any CSP, you need to ensure that the provider bears current validation from a payment card brand or independent processor.

Effective governance is a massive undertaking. The subtleties of different service and deployment models make it ill-advised to take a CSP at its word. It’s also impractical to manually verify that your provider’s security techniques are vulnerability-free.

How can a PCI DSS expert help?

Every merchant deployment is unique. Regardless whether you’re hosting everything in-house, using shopping cart software or just relying on a content management system to serve your product images more rapidly, it’s up to you to identify and eliminate security gaps.

Talking to a Stickman expert will help you achieve PCI DSS compliance. With experience helping some of Australia’s biggest brands safeguard their patrons, we’re prepared to improve the way your business keeps consumer data safe. Learn more by contacting us today.


[1] http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf

[2] https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf[3]

Muralee Krishnan

Muralee Krishnan is the National Assessments Manager at Stickman with specific expertise in PCI DSS and cyber security assessment and implementation. More articles by Muralee Krishnan

Take charge of your cybersecurity today, with Stickman.

Get in Touch