Nov 02 2008
A few days ago my friend Chris Hoff asked a very interesting question: Can I be PCI compliant if I’m using some form of cloud computing? Now Chris is a virtualization guru, and I have no intention of ever arguing virtualization issues with him (it’s not healthy for the ego to get beat down that badly), but when it comes to PCI I’ve got a leg up on him. So I made several comments on the post, most of which boil down to referencing PCI requirement 12.8: If you’re sharing cardholder information, i.e. credit card numbers, with a third party service provider, you need to have a clause in your contract that makes the service provider responsible for the PCI compliance of their systems. With the example given, Amazon’s EC2, the chances of getting such a clause in your contract are almost non-existent. Therefore, if you’re using Amazon’s EC2, you aren’t going to be PCI compliant until such a time as Amazon makes a compliant infrastructure. The same needs to be said of any of the other cloud vendor, it’s not just EC2.
Afterward, Chris appended the post to say that he got exactly the response he expected. But he doesn’t feel this is a good enough answer: virtualization and cloud computing are the next wave of computing fashion, therefore they need a deeper review by the PCI Security Standards Council to clarify PCI’s stance on these topics. His rational is that cloud computing is going to happen, is happening and will happen whether we want it to or not. He believes that the definition of ‘service provider’ needs to be re-examined and updated to reflect the changes these technologies will bring about.
Point blank: Chris is wrong. The definition of ‘service provider’ is fine, here it is directly from the PCI Council’s site:
Business entity that is not a payment card brand member or a merchant directly involved in the processing, storage, transmission, and switching or transaction data and cardholder information or both. This also includes companies that provide services to merchants, services providers or members that control or could impact the security of cardholder data. Examples include managed service providers that provide managed firewalls, IDS and other services as well as hosting providers and other entities. Entities such as telecommunications companies that only provide communication links without access to the application layer of the communication link are excluded
By this definition, Amazon EC2 would be a service provider, pure and simple. It doesn’t matter that the service they’re providing is virtualized. In the eyes of PCI a virtualized system is really no different from a physical system. Why should a rack of servers in a data center be different than the same services being provided on one server with multiple VM’s on it? The service provider is still responsible for the physical security of the systems, they’re still responsible for the patching and security of the underlying operating systems. Even when we talk about virtualization on your own network, the same PCI requirements apply. In fact, virtualization can often be a negative from the PCI perspective, since every system that’s in the virtualized environment is now in-scope for a PCI assessment.
I would agree with Chris in saying this is a topic that needs more discussion, but to educate businesses and help them realize that cloud computing is no more a panacea for all their PCI woes than any other form of virtualization is. You’re taking the same problems that you had with a service provider and adding a whole new layer of abstraction to them. You’re sharing hardware with an unknown number of other clients, you have less visibility into what’s going on lower in the stack and you have a new set of patching and vulnerability concerns to be worried about. Rather than reducing your stress levels and potential to be compromised, cloud computing will probably raise it to a new level.
I’d be willing to bet becoming a PCI compliant service provider wouldn’t be all that difficult for Amazon and EC2. The security is probably already in place, all it would take is having an assessment every year to prove that Amazon meets the standards. It’s the transfer of liability that’s going to be the big sticking point; I can’t imagine Amazon’s lawyers being in a big hurry to take on this responsibility, no matter how much the marketing department might want ‘PCI Compliant’ in their brochures. And until you can put a clause in your contracts making your service provider responsible for a portion of your compliance, you aren’t going to be able to use EC2 and be compliant.
Just because a technology is new and exciting, it doesn’t mean we need to redefine the rules. The definition of service profider works just fine when we’re talking about cloud computing. They’re providing a service and they need to be compliant if your going be compliant. There are PCI compliant service providers out there now and there are folks working on PCI compliance in the cloud. Being a new and sexy technology shouldn’t exempt you from having to meet with the same compliance standards as everyone else, should it?
One last point, PCI requirement 12.8 is about transference of risk to the business closest to the cardholder data. That’s it. If your service provider isn’t willing to accept the risk associated with transferring, storing and manipulating cardholder data, you need a different service provider.