Comment: PCI DSS compliance in the cloud

Harber says the payment card industry needs to work more closely with QSAs and service providers to define compliant solutions that are suitable for cloud architecture
Harber says the payment card industry needs to work more closely with QSAs and service providers to define compliant solutions that are suitable for cloud architecture

The first compliance deadline for the Payment Card Industry Data Security Standard (PCI DSS) is approaching during this September. A recent UK business survey, carried out by Redshift Research on behalf of Tripwire, found that only 11% of merchants in the financial, hospitality and retail sectors were certified compliant.

Although the majority of “Level 1” merchants are on track to comply, Redshift’s research suggests that the majority of Level 2 – 4 UK merchants are unlikely to meet the deadline. Many vendors reported that they don’t believe PCI DSS compliance will actually make their businesses more secure. To compound this issue, many small to medium-sized businesses have begun to take advantage of the flexibility, scalability and cost benefits of accessing managed IT services from cloud computing providers, meaning that some data is stored off-site in professionally run and secured data centres. Our own findings reveal that many merchants have been unable to get conclusive assurance on whether they can be compliant if their service provider is not.

This article will explore the issues facing merchants using hosted services when seeking advice on PCI DSS compliance in the cloud.

Keeping up the standard

The PCI DSS standard was created to help organisations that process card payments in preventing credit card fraud. Under the PCI DSS guidelines, Level 1 merchants are those processing more than six million transactions annually; level 2 merchants – between one and six million annual transactions; level 3 merchants – 20,000 to one million annual transaction; and level 4 merchants – up to 20,000 transactions per year. However, Redshift’s findings indicate that 14% of level 2 – 4 merchants have not yet started the process of becoming PCI DSS compliant, and many are still unsure of what is required.

Confused merchants & QSAs

In order to become PCI DSS compliant, companies have to liaise with a Qualified Security Assessor (QSA) approved by the payment card industry. The QSA will assess the company’s payment processes and IT infrastructure, based on a list of criteria laid down by the payment card industry. Leading PCI players – VISA and MasterCard – have been the main drivers behind the standard and in partnership with carriers, such as Barclaycard, have been setting up criteria for merchants and retailers.

Why PCI DSS matters

Merchants and organisations that are found to be in violation of PCI DSS face hefty fines and, in the worst case scenario, revocation of their ability to process card payments. This could put a company out of business.

Earlier this year, we contacted a number of QSAs to try and clarify the position for PCI DSS-compliant companies that are using cloud-based services. We found, much to our dismay, no consensus on whether compliance can be achieved if a company’s cloud service provider is not compliant. Ideally, merchants should be able to seek PCI DSS advice from their QSA to ensure that they are compliant, regardless of whether or not they choose to use hosted services. However, our research with twelve different QSAs revealed that confusion exists even among the experts as to whether a merchant can be PCI DSS compliant if their hosted infrastructure is not. All of the QSAs confirmed that they required further guidance and advice from the payment card industry on PCI DSS compliance in the cloud.

Is compliance in the cloud achievable?

A European Network and Information Security Agency (ENISA) report from November 2009 raised doubts about whether merchants could achieve PCI DSS compliance if they used services from third-party hosting providers – especially if the provider’s services are not compliant.

The report states: "Certain organisations migrating to the cloud have made considerable investments in achieving certification either for competitive advantage or to meet industry standards or regulatory requirements (e.g. PCI DSS). This investment may be put at risk by a migration to the cloud if the cloud provider cannot provide evidence of their own compliance to the relevant requirements".

Some QSAs, much to our concern, believed that a merchant can be compliant even if its service provider is not. However, this is not the view of Barclaycard, which insists that any third-party service provisioned to the merchant must also be PCI DSS compliant.

"Merchants who are using non-compliant hosted services pose a risk if those services are not compliant with PCI DSS standards”, says Neira Jones, head of payment security at Barclaycard. “As an acquirer, one of our main areas of focus for 2010 will be to encourage merchants [that] are presently using non-compliant service providers to move to a service provider whose services already meet the required standards.”

Better QSA advice required for merchants

When considering services managed by a cloud computing provider, merchants should be engaging with their QSA to understand how their payment processing environment will be impacted. However, if the QSAs themselves are unclear as to the stipulations, merchants could be given conflicting advice. If a merchant selects a provider that does not have the required level of compliance, then it risks the wrath of the Security Standards Council. More clarification is needed – not only for the merchants, but also for the QSAs.

PricewaterhouseCoopers is about to release a cybersecurity survey in which it reports that three-quarters of surveyed companies are using cloud computing services. One question looms: Because data is not held on retailers’ premises, what organization is technically responsible for securing the data? Should the merchant accept full responsibility because they collect the data in the first place, or should the cloud provider bear the cross and become PCI DSS compliant themselves?

Compliance in the cloud

Cloud computing offers UK SMEs a great opportunity to be more competitive by accessing the latest technologies without exposing the business to the large financial and operational risk normally associated with implementing in-house IT systems. However, simply choosing a compliant service provider does not automatically make a business compliant.

Jan Fry, head of PCI compliance at ProCheckUp – a PCI-approved scanning vendor and QSA that provides network scanning and penetration testing for merchants – believes that reaching PCI compliance using a cloud provider needs to be looked at in terms of the individual environments on a case-by-case basis. “If you’re encrypting the data held in the cloud, then you may still meet the required PCI DSS standards – it would depend on segmentation and encryption procedures in use”, he comments. “I’d also advise that [if] any provider is reluctant to let anyone on site to check out their facility that should be a warning sign.”

The ultimate responsibility

Surprisingly, as no standard has been drafted and implemented, QSAs are not providing any guidance when dealing with retailers that make use of managed services. Due to the multi-faceted criteria that businesses must meet to achieve compliance, it seems that QSAs are left to their own interpretation of the rules and requirements. What is being quickly understood is that merchants themselves are ultimately responsible for the security of their customer data, regardless of whether it is hosted in a third-party data centre or on-site.

Having recently achieved the PCI DSS accreditation for several of our hosted services, we understand the process of achieving compliance. We have experienced firsthand the conflicting advice being provided by QSAs. The payment card industry needs to work more closely with QSAs and service providers to define compliant solutions that are suitable for cloud architecture. In this way, merchants can continue to benefit from the flexibility and scalability of accessing cloud-based services, without fear of falling foul of the PCI and losing their ability to process credit card payments.

Find out what cloud computing really means by downloading our free Cloud Computing Guide.


Hugo Harber, director of convergence and network strategy for Star, is a seasoned telecommunications professional and leads Star's unified communications strategy. He is responsible for delivering Star's network services, working with customers to develop new voice and data products to solve today's business challenges.

What’s hot on Infosecurity Magazine?