In a bid to help organisations better understand their compliance obligations under the Payment Card Industry Data Security Standard (PCI DSS) when using cloud technology to collect, store or transmit credit card data, the Payment Card Industry Security Standards Council (PCI SSC) has published the PCI DSS Cloud Computing Guidelines Information Supplement.

Formed through a collaboration of more than 100 global organisations representing banks, merchants, security assessors and technology vendors, the guidelines state that the PCI DSS will still apply “if payment card data is stored, processed or transmitted in a cloud environment”.

According to the PCI SSC, unless the cloud deployment model is truly private (on-site), security is a shared responsibility between the Cloud Service Provider (CSP) and its clients, with the levels of responsibility between the two depending on the type of cloud service model used.

Software as a Service (SaaS) enables clients to use the CSP’s applications through the cloud, resulting in a greater loss of control over security and lower responsibility. Platform as a Service (PaaS) allows clients to deploy their applications onto the CSP’s cloud infrastructure, reducing their control to a lesser extent than SaaS and increasing their responsibilities. Infrastructure as a Service (IaaS) permits clients to use the CSP’s processing, storage and networks to deploy and run operating systems, applications, and other software on a cloud infrastructure, providing the client with a high level of control and responsibility. The level of security responsibility across the cloud service models generally migrates toward the client as the client moves from an SaaS model (least client responsibility) to an IaaS model (most client responsibility).

It is essential that clients understand their requirements so as to determine whether they will be met by a particular CSP. The guidelines recommend that clients undertake risk assessments to enable them to make an informed decision.

Where control is outsourced to the third-party CSP, the council consider it essential for contractual agreements to be in place – and ongoing due diligence to be carried out – to ensure that the CSP is complying with the security levels required by the client and the PCI DSS. They warn that “if the security responsibilities are not properly assigned, communicated and understood, insecure configurations or vulnerabilities could go unnoticed and unaddressed, resulting in potential exploit and data loss.”