PCI Compliance In The Cloud

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Can a retailer (or even a service provider) move its payment applications to the cloud and maintain PCI compliance? I believe the answer to this question is yes, it is possible to be PCI compliant in the cloud. Neither validation nor compliance will necessarily be easy, and success is not guaranteed, but achieving both is possible. A better question, though, is how can a merchant implement a payment application in the cloud and be both PCI compliant and secure?

Achieving PCI compliance in a cloud-based environment will involve some intense negotiations between the merchant and its cloud provider. If a merchant is neither willing nor able to dig into the details and maybe do a little arm wrestling with its provider, moving a payment application to the cloud is not for that merchant.

Negotiating a detailed, comprehensive service level agreement (SLA) will be perhaps the most important single step to achieving PCI compliance in the cloud. But before you can even begin to develop an SLA, a merchant needs to understand who does what. That is, the first thing you need to know is which services will be provided by the cloud provider and which are the merchant's responsibility. The oft-repeated maxim that you can outsource a function but you cannot outsource the responsibility still holds in the cloud.

"The cloud" has many definitions. The National Institute of Standards and Technology (NIST) defines cloud computing as "a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction." The most common metaphor to explain cloud computing is an electric utility: Consumers don't know or care where the electrons are generated; they only know that when they flick a switch, the lights go on.

That definition means cloud computing involves a multi-tenant environment (there are private clouds) with elastic scale. Capacity can be added or removed almost instantly to meet changing demand. Merchants contract with a third party—the cloud provider—that is responsible for maintaining the cloud environment. Do not confuse cloud computing (a service) with virtualization (a technology that may be used by cloud providers).

Access to the cloud is by the Internet. That means the cloud is widely available to the merchant, its employees and its customers. The down side is that this broad access also includes potential bad guys. Furthermore, the cloud provider may not be able to tell you where your data is (or has been), either physically or geographically at any particular point in time.

Therefore, a brief definition of the cloud might be: your data, on someone else's network, sharing a server somewhere and accessible by the Internet. That is why a comprehensive SLA is critical for any merchant or service provider looking to move its payment application to the cloud.The driving force behind the move to the cloud is economics: low cost, high availability, almost instant expandability. The downsides of cloud computing are increased risk and loss of direct control over the computing environment. Perhaps because of this perceived risk, the most common applications companies move to the cloud are human resources, sales force and customer management, payroll and maybe E-mail.

A piece of sound advice I heard from several cloud experts is to start by moving relatively lower value, what some might call "housekeeping" applications to the cloud. This approach allows an organization to get experience with the cloud and its cloud provider before migrating more mission-critical (e.g., payment) applications.

Step one to determining how you will achieve PCI compliance with a cloud provider is to understand what you are buying. Not all "clouds," and certainly not all cloud providers, are the same. A merchant will contract with a cloud provider for either computing infrastructure alone, a platform to host its application or a complete service, including the application. In each case, the SLA negotiated by the merchant will require different controls, visibility, transparency and evidence to support PCI compliance.

Based on what I heard at the RSA Conference and discussions with providers and others, here is my understanding of what a merchant or service provider needs to consider when moving to the cloud.

If a cloud provider offers infrastructure as a service (IaaS), that means the cloud provider is offering, essentially, bare metal; the merchant provides everything else. Think of this as a co-location facility with fancy marketing. The merchant brings the operating system and applications, and it manages all firewalls, logging, access, etc. Therefore, an IaaS cloud client is responsible for, and needs the ability to manage, all these functions to validate its PCI compliance. The focus of the SLA will be availability and platform security, including the cloud provider's ability to demonstrate security in the layer(s) below you.

A platform as a service (PaaS) cloud provider goes to the next step and has an operating system and application platform. The customer (whether merchant or service provider) brings its own application and maintains its own database. In this case, you need to understand what services are "shared" with other users. The focus of the SLA now also includes all the aspects of multi-tenancy, such as where are your data (logically, maybe physically) and logging and what is your visibility to the provider's controls and procedures.

With software as a service (SaaS) cloud providers, a merchant is buying (or hopes to be buying) the complete outsourced package. The merchant needs an SLA that defines which party—it or the cloud provider—is responsible for each PCI requirement.

Looking at this, it is clear that PCI compliance in the cloud is more a matter of context than technology. That is, the same PCI requirements apply. A merchant's first step is to identify which service(s) it will perform and which the cloud provider will perform. Then the merchant's own PCI compliance will depend on each party's compliance.

That a cloud provider is on the list of PCI-validated Level 1 Service Providers is a good start. But it is not the end of the merchant's work. Merchants need to understand what services were included in the scope of the assessment. For example, a cloud provider could have validated IaaS but is selling PaaS. Nothing about cloud computing has invalidated any part of Requirement 12.8. A merchant's compliance—and security—will be only as reliable as the service provider's actual implementation.

Achieving the expected benefits of cloud computing requires the cloud service provider to be competent, diligent and vigilant every second of every day. Each party needs to understand its roles and which party will be responsible for each PCI requirement. I have seen some vendor spreadsheets that list each PCI requirement and, alongside it, whether it is a customer, vendor or shared responsibility. If your vendor can't give you this level of detail, I'd consider delaying any further conversation until it can. Without this knowledge, a merchant cannot even begin to scope its PCI assessment or prepare an SLA.

What do you think? I'd like to hear your thoughts on cloud computing or SLAs. Either leave a comment or E-mail me at [email protected].