PCI (Payment Card Industry Data Security Standards) compliance and cloud computing are two great tastes that truly suck when you put them together. So much so that even putting the two concepts together in a sentence leaves a bad taste in my mouth. PCI compliance is a fact of life that most merchants have finally realized they can’t put off any longer or at least an annoyance they have to meet with if they want to continue to process credit cards at a reasonable cost. Cloud computing is the the tech buzzword of 2009/2010 that can do everything from save your company tons of money to cure the common cold. If it involves a computer, someone, somewhere is saying it can be done cheaper and faster if we’ll just ‘move it to the cloud’. Which is marketing speak for “we have a technology no one understands, so let’s throw it at anything people are spending money on!” Of course, since businesses are spending money on PCI, smart marketing folks all over the place are trying to get some of that money spent on ‘the cloud’. Thereby proving that the same marketing people don’t understand PCI and don’t understand Cloud Computing. While I don’t profess to understand cloud computing either (though I have friends that do), I do understand PCI.
If you’re not dealing with PCI on a daily basis, it’s easy to forget some of the subtleties. One of the main subtleties many people choose to ignore is that PCI compliance (and PCI validation, a rant for another day) are black and white propositions. You either meet with all 200+ PCI requirements and are compliant or you miss even a single requirement and you’re not. While there is some room for interpretation and compensating controls, if you don’t meet the intent of the PCI requirements, your not complaint and you won’t be validated when your QSA makes his annual visit. It’s a rude awakening for some folks when they realize that none of the requirements are optional. Not that I’m even sure you can have an ‘optional requirement’.
Phil Cox wrote a good article on why PCI Compliance in the Cloud is unlikely if not impossible given the current status of cloud computing and PCI. He has a good run down of the specific security measures required to be PCI compliant that can’t be met by any Cloud service provider at this time. Issues such as segregating merchant environments (are you REALLY segmented from your neighbors in the Cloud?), restriction of privileges so your Cloud neighbor can’t come visiting and log retention and auditing. These are some of the basic requirements of PCI as well as being some of the basic ideas for security in general. Keeping someone from jumping from their Cloud resources to yours is pretty darn important and something that’s going to be pretty hard to prove during your annual assessment without digging deeply into the technology. And having the log files to show what was done when and by who is vitally important when you’re doing your forensics after the compromise. Between detection and forensics, log review and management is one of the most important aspects of PCI, something you just don’t get with most (any?) Cloud providers.
However, what set’s me off about Phil’s article is his opening questions and the misconceptions it has the potential to propagate:
Can I be PCI compliant in a public cloud?
If you do not store or process cardholder data in a public cloud, then it is possible to reach compliance with PCI-DSS. If you do store or process cardholder data in a public cloud, however, then it is my opinion that it would not be possible to currently achieve PCI-DSS compliance.
You can achieve compliance if all you are doing is securely transmitting cardholder data over a public cloud (similar to the Internet today).
If you do not store or process cardholder data in the public cloud, then you’re not really in the Cloud! You can have all of your web servers running on a Amazon EC2 server and then hand off the credit card transaction to a third party to process, but at that point you can be PCI compliant and in the Cloud, but you certainly are not ‘PCI compliant in the Cloud’. You’ve outsourced your processing and you’ve reduced the scope of your PCI environment to exclude the Cloud, but you’ve also divorced the two concepts from one another. And I’d argue that even allowing the cardholder information to be transmitted through your Cloud environment is enough to place your servers back into scope for your PCI assessment. Remember, everything that stores, processes or transmits cardholder data is considered to be in scope for your annual assessment. The only way for a system to be out of scope is if it has no access to cardholder data; being a conduit to another system is a form of access and therefore falls within scope for PCI.
Cloud providers know their services aren’t currently ready for merchants and PCI compliance. Amazon knew last year that their EC2 and S3 offerings weren’t going to be able to enable merchants to be compliant. They’re smart enough to admit it and train their staff to understand why their Cloud offerings can’t be used for PCI compliance. Cloud computing and PCI compliance are probably going to continue to be strangers at least through 2010; the newest version of the PCI requirements will be out later this year and major changes for cloud computing aren’t part of this revision. There may be a technical update or clarification concerning Cloud computing, but in all likelihood any major changes are going to have to wait for the next version of the PCI requirements, which won’t be issued until 2012. Either way, it’s not worth holding your breath for the changes.
The primary problem with attaining PCI compliance in the Cloud is an issue of visibility; there’s no way for me, as an assessor, to truly review and validate system configuration when your systems are temporary and could be deleted with a few clicks of the mouse. Cloud service providers should be and probably are looking at ways to offer up services that take advantage of all the positive aspects of cloud computing while still allowing for all 200+ PCI requirements to be met. Service providers are going to have to take a long look at how they manage the creation and deletion of virtual servers, segregation of resources and collection, monitoring and retention of log information. When you have to keep every log even once the virtual server has been consigned to the bit bucket, storage costs can skyrocket. Not to mention the headache of letting the QSA of each and every merchant you host look over your systems for PCI validation.
Don’t trust the marketing propaganda that tells you can be compliant while using their Cloud service. There may be a time in the not too distant future where PCI and cloud computing can live and work together, but it’s not now and it’s probably not going to be in 2010 at all. If you have to use the Cloud to save your company money, make sure you’re not asking your customers to enter their credit card number on the Cloud servers; either send the transaction to a third party processor or bring the transaction in house at that point. You can’t be ‘PCI Compliant in the Cloud’ but you can use cloud services and be compliant. Just make sure you don’t get any of your peanut butter on my chocolate.