The PCI DSS Cloud Computing Guidelines: An Executive Summary

April 22, 2013, Matt Getzelman, PCI Practice Director

The PCI SSC and its Cloud Special Interest Group has released its Cloud Computing Guidelines after a year of collaboration and input from SIG members. Coalfire was a big contributor to this document, and we think it is required reading for anyone who has front-line responsibility for managing compliance at companies using a Cloud Service Provider (CSP).

For everyone else, we thought it would be helpful to put together a plain-English Executive Summary– the kind of things every business leader and IT executive should know about the guidelines. Here goes:

1.    This new supplement does not supersede or replace any requirements defined in the PCI Data Security Standard (PCI DSS).  Instead, the Cloud Computing Guidelines should be used by merchants, service providers and QSA organizations to:

  • Gain a better understanding of how cloud technologies impact PCI DSS compliance management.
  • Plan and prepare for upcoming PCI DSS assessments if you do use cloud service.
  • Perform proper due diligence before selecting a Cloud Service Provider (CSP).

2.    Share responsibility -- responsibly:  If you are using a CSP, you are almost certainly sharing control responsibilities with your vendor.  Every requirement needs to be covered by someone, and the best way to document who is doing what is via a “Responsibilities Matrix”.  When we do an assessment, this is among the first things we need to look at, and if you don’t have one, ask your CSP for their version and work with your auditor to create one for your organization.

Reminder #1:  The ultimate responsibility for cardholder data security always lies with the merchant (not the CSP) regardless of how PCI DSS responsibilities are mapped or contracted.  
Reminder #2: The PCI SSC recommends minimizing the reliance on the CSP for protecting cardholder data at rest.

3.    Carefully define the “In-Scope” Environment:  Cloud services and virtualization technologies can introduce new challenges for organizations trying to accurately define their cardholder data environment (CDE).  Coalfire recommends working with your virtualization or cloud service provider to fully understand how these technologies can affect your environment and sensitive data.  Coalfire works directly with many of today’s leading technology vendors and can help guide you past the hurdles associated with this rapidly emerging technology.

Tip:  When possible, encrypt sensitive data before it hits the cloud.  This will mitigate many of the data migration issues facing organizations using virtualization technologies.

4.    Using a “PCI Compliant” Provider – verifing claims with your own testing:    Using a “PCI Compliant” company does not equate to being PCI DSS compliant yourself.  This is a fairly common misconception.  Claims of “PCI Compliance” need to be verified and your CSP’s controls must be mapped to your own compliance management process.

5.    Ask your CSP about these Common Challenges:  

  • Changing CDE Boundaries:  The perimeter boundaries between your corporate environment and that of the CSPs cloud service can change unexpectedly.

    • Where does our security end and my CSP’s security start?

  • Audit Privileges:  Many CSPs will not allow certain types of vulnerability scanning, penetration testing or other audit related activities within their hosted environments.

    • Who tests and scans your systems?

  • Data Sovereignty and Legal Considerations:  Depending on the architecture of the CSPs offering, knowing how and where your data actually resides can be difficult.  

    • Is your data shipped overseas without your knowledge?

  • Security of Client Systems:  The security of the connected client environment can adversely affect the security of the entire cloud offering.  

    • Who do I share this cloud with?

The cloud is here to stay and the good news is this: you can definitely use a CSP and have well-managed, fully compliant architecture. Even better, it will likely be easier to maintain compliance, given the controls provided by your CSP.   Just remember to that it’s still your compliance program and you need to do your due diligence.

Matt Getzelman


Matt Getzelman — PCI Practice Director

Recent Posts

Post Topics