Payment Card Industry (PCI) governance program
Typically, the two primary goals of a company’s Payment Card Industry (PCI) governance program are to meet the intent of applicable controls and reduce the scope of PCI Data Security Standards (DSS) requirements enforced on the company’s environment. However, many companies do not meet the guidance requirements to reduce their scope from the PCI Security Standards Counsel (SSC) for various reasons. For example, if a company maintains a business case requiring them to retain full card numbers for their refund process, that will prevent the company from any requirements reduction through the PCI SSC guidance on scope reduction for merchant environments based upon SAQs.
While many companies might not be able to reduce controls due to these business needs, more and more are looking at cloud computing to offload some of the compliance workload to compliant third-party providers. In this article, we will look at the different types of cloud computing architectures and the compliance reductions companies can expect to see from proper implementation of each type.
Types of Cloud Computing
While there are multiple cloud architecture types, we will be focusing on the two most common: Infrastructure as a Service (IaaS) and Platform as a Service (PaaS).
In an IaaS cloud architecture, the customers are provided with an environment where they can deploy and manage server’s operating systems, configure network firewall rules between servers, and utilize other services offered by the cloud provider. In the IaaS cloud model, the cloud provider manages the hardware and physical controls of the environment while the customer manages operating systems, software versioning, and all other controls within the environment.
In a PaaS cloud architecture, the customers utilize a complete, ready to use, cloud hosted platform designed for developing, running, maintaining, and managing applications within their environment. The Cloud Hosting Provider would be responsible for managing operating systems and other items. The main customer responsibility is to ensure the proper configuration of the Cloud Hosting Provider services and develop/deploy software in a compliant and secure manner.
PCI DSS Control Reductions
With proper implementation of IaaS or PaaS cloud architectures on a compliant third-party cloud provider, customers can expect, in general, the following types of PCI DSS control reductions:
Control reduction with Infrastructure as a Service cloud Architecture:
- Customers will not be responsible for physical security controls of the data center location(s).
- Customers will be responsible for configuring network access rules within their environment, but not managing the network technology to enforce those rules.
- Customers are not responsible for wireless network scans of the cloud provider data centers.
- In most cases, encryption key controls can be reduced via compliant key storage services available by the cloud hosting provider.
Control Reduction with Platform as a Service cloud Architecture:
- Customers will not be responsible for physical security controls of the data center location(s).
- Customers are not responsible for the configuration or patching of operating systems within their environment.
- Customers are not responsible for Anti-Virus within their cloud environment.
- Customers are not responsible for Network Time Protocol (NTP) controls within their environment.
- Customers are not responsible for operating system or administrative portal logs. They are responsible for application-level logs of their systems.
- Customers are not responsible for IDS/IPS network technology within their environment.
- Customers will be responsible for configuring network access rules within their environment but not managing the technology to enforce those rules.
- Customers are not responsible for wireless network scans of the cloud provider data centers.
- In most cases, encryption key controls can be reduced via compliant key storage services available by the cloud hosting provider.
It is important to note that each cloud hosting provider is different. Proper due diligence should be conducted prior to engaging with cloud services to determine the exact compliance impact the migration would have on your specific environment. However, as demonstrated above, if a cloud infrastructure is implemented correctly, the compliance reductions can be significant.