PCI compliance in the public cloud is a growing topic of concern and interest. Some people claim one can be a PCI-compliant merchant using a public IaaS cloud, while others say that’s impossible. I am a former Qualified Security Assessor (QSA) and have participated in multiple PCI working groups, and I’m firmly in the former camp. PCI compliance in the cloud is possible, but the hardest part is knowing what you need to do and what you have to rely on your partners to do. In a session at the upcoming RightScale Compute 2013 conference, I’ll discuss foundational principles and mindsets for PCI compliance, how to determine system/application scope and requirement applicability, and how to meet top-level PCI DSS (Data Security Standard) requirements in the public IaaS cloud.
For a successful foundation for PCI compliance, plan to protect all cardholder data (CHD) housed in the IaaS provider. You should architect your application in three tiers: load balancer, application server, and database server. And make sure that you keep your dev and test environments separate, outside of the cardholder data environment (CDE) and with no CHD, so that you can focus your compliance efforts solely on the production systems.
For PCI compliance, you need to have proof for what you assert. When it comes to partners, you will need to have cloud service providers (CSP) that are on the Approved Service Providers list for one of the major card brands or that have done a Level 2 assessment and can show you an attestation of compliance. The former is preferred, and the latter may suffice, depending on your situation, but the CSP should sign a contract that states that it must protect CHD in accordance with PCI DSS. You have to do your due diligence on both approved and compliant providers.
The other key aspect of PCI compliance is making sure you manage the system components correctly. The industry knows how to manage traditional environments, but the nuances of public IaaS clouds can make mistakes more egregious. The functionality that RightScale gives you in terms of management and governance of system components is invaluable, but you can also leverage other management options (other vendors, do-it-yourself, or a combination) to promote your PCI compliance efforts.
PCI compliance in a public IaaS cloud is a touchy subject, but it need not be. Register for RightScale Compute and join me in San Francisco on April 25, and I’ll try to answer your concerns. If I don’t cover your specific questions during the session, I’ll be happy to speak with you afterward.