Comments on: PCI Compliance in the Cloud: Get it in writing!

By: Mark

Mark — Thu, 20 Aug 2009 00:51:53 +0000

Thanks for the information. Big news in Australia for cloud computing is Telstra have just announced a $500m investment into cloud services. Great news for the local industry.

By: Martin

Martin — Thu, 13 Aug 2009 14:09:52 +0000

Good to know Jason. And I’m glad to know that Amazon is acknowledging that they are not enabling merchants to become PCI compliant.

Martin

By: Jason Rushton

Jason Rushton — Thu, 13 Aug 2009 14:02:43 +0000

I realize I’m resurrecting an ancient post, but it was very enlightening when I was researching Amazon and PCI

I just wanted to add that I did get an answer from Amazon stating that it is NOT possible to be PCI Level 1 certified using AWS services:

http://developer.amazonwebservices.com/connect/thread.jspa?threadID=34960&tstart=0

By: Jackie

Jackie — Mon, 04 May 2009 16:57:04 +0000

Merchant Service Provider is a great new alternative to Paypal and Google Checkout.

By: Jess

Jess — Fri, 27 Mar 2009 17:16:43 +0000

A few have stated something to the effect of “don’t hand the cardholder data”…. or, that “amazon would not be holding the data, the VM would”. This is simply not true. For instance, an SQL database on a VM in the could, would still be sitting on hardware somewhere, and for all intents and purposes that VM is an application on said hardware. Which would require the underlying hardware/OS to be PCI compliant. What happens when the cloud is compromised, and an entire VM image is offloaded to the attackers machine? The attacker has ALL the data.

By: Cloud compliance: Will PCI be applied to cloud computing by the FTC? - IT Compliance Advisor

Mon, 23 Mar 2009 19:23:29 +0000

[...] PCI Compliance in the Cloud: Get it in writing! Comment RSS Feed Email a friend [...]

By: PCI Data Security Standard en virtualisatie « EarlyBert

PCI Data Security Standard en virtualisatie « EarlyBert — Sun, 09 Nov 2008 18:42:28 +0000

[...] om hulp bij zijn transactieverwerking via Amazon’s EC2 platform. Dit werd onder andere opgepikt door Martin McKeay en eindigde eigenlijk in een [...]

By: Cranston Snoard

Cranston Snoard — Tue, 04 Nov 2008 18:28:13 +0000

It’s not just PCI that will get caught or need to adapt to cloud computing environments… SOX, privacy, and other compliance issues require similar attention in a cloud computing environment.

Proper due diligence and risk analysis need to be part of the business case for a firm to adopt cloud computing. It may be that regulators et al will not allow use of cloud computing if one performs certain types of processing or handles certain classifications of data. Similar requirements for isolation exist elsewhere – such as handling of classified military data.

On the other hand, everyone seems to overlook one of the easiest means of PCI compliance – simply don’t handle the card data unless you have to. There are lots of ways to do this – just get your head out of the clouds…

By: ICMPECHO · PCI DSS: What’s in the cloud?

ICMPECHO · PCI DSS: What’s in the cloud? — Tue, 04 Nov 2008 12:05:49 +0000

[...] an interesting article by Martin McKeay through “Security Bloggers Network” which discusses PCI compliance and the implications [...]

By: Interesting Information Security Bits for 11/03/2008 « Infosec Ramblings

Interesting Information Security Bits for 11/03/2008 « Infosec Ramblings — Mon, 03 Nov 2008 23:58:31 +0000

[...] Network Security Blog >> PCI Compliance in the Cloud: Get it in writing! Martin has written a article that you should read if you have any responsibility for PCI. [...]