Anton Chuvakin

A member of the Gartner Blog Network

Anton Chuvakin
Research VP
2+ years with Gartner
14 years IT industry

Anton Chuvakin is a research VP at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Coverage Areas:

Finally, PCI DSS In The Cloud Guidance

by Anton Chuvakin  |  February 12, 2013  |  9 Comments

As all of you already know, PCI Council has finally released an official  “Information Supplement: PCI DSS Cloud Computing Guidelines” [PDF] aka “PCI DSS in the cloud.”


Here are some of my favorite quotes from the 52 page [sadly, a bit, wooly] mammoth of a document:

  • “The allocation of responsibility between client and provider for managing security controls does not exempt a client from the responsibly of ensuring that their cardholder data is properly secured according to applicable PCI DSS requirements.” <- merchants, please ponder that one Smile
  • clear responsibilities for operation, management and reporting need to be defined for each [PCI DSS] requirement.” <- obvious, but oh-so-uncommon.
  • “The allocation of responsibility for managing security controls does not exempt a client from the responsibility of ensuring that their cardholder data is properly secured.”
  • “Where the CSP maintains responsibility for PCI DSS controls, the client is still responsible for monitoring the CSP’s ongoing compliance for all applicable requirements.”
  • “Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation.”
  • Any shared infrastructure used to house an in-scope client environment would be in scope for that client’s PCI DSS assessment.”
  • “If adequate segmentation is not in place or cannot be verified, the entire cloud environment would be in-scope for any one client’s assessment.”
  • The more security controls the CSP is responsible for, the greater the scope of the CDE will potentially be, thereby increasing the complexity involved in defining and maintaining CDE boundaries.”  <- counter-intuitive, but so true! Whoever wrote this particular line, really gets it!
  • “by keeping all encryption/decryption and key-management operations isolated from the cloud, the number of PCI DSS requirements that the CSP is required to maintain may be reduced, as these requirements will instead be applicable to the client’s own environment and personnel.” <- read and think about it as well.
  • “It can be challenging to collect, correlate, and/or archive all of the logs necessary to meet applicable PCI DSS requirements [in public cloud].” <- I hereby nominate this line for The Understatement of the Year prize Smile
  • “Use of a PCI DSS compliant CSP does not result in PCI DSS compliance for the clients.” <- this is a repeat, but it definitely bears repeating!
  • “The CSP should ensure that any service offered as being “PCI compliant” is accompanied by a clear and unambiguous explanation, supported by appropriate evidence, of which aspects of the service have been validated as compliant and which have not.”
  • Due diligence is not simply reading the provider’s marketing material or relying on a provider’s claims of “PCI compliance” or secure operations.”
  • “End-to-end processes and data flows must be documented across both client and cloud provider networks, so that it is clearly understood where cardholder data is located and how it is traversing the infrastructure.”

Finally, if anybody cares for my opinion, the Council made a mistake by loading the document with so much stuff  (BC/DR? Data classification? Evolving Security Technologies?) and thus making the clarity of “PCI in the cloud” guidance unachievable! Honestly, I don’t think anybody (much less merchants, much less smaller, cloud-happy merchants) will ever read it all the way to its end… To top it off, “Appendix D: PCI DSS Implementation Considerations” is an entire new document embedded inside. Sadly, the whole thing just bears signs of being designed by a committee full of members hating each other Smile


Category: cloud compliance PCI DSS     Tags: , , , ,

9 responses so far ↓

  • 1 Rich Evans   February 13, 2013 at 4:57 pm

    One of the best no holds commentary I have seen publicly on a matter quite obvious to many, and only further confusing the rest. Right down to your drilling into the core problem underlying the consistently failed delivery of information…lack of direction, leadership, dabble in plenty of infighting. The intent has, since its inception and then continuing through to the latest here, been lost in the minutia.

  • 2 Anton Chuvakin   February 14, 2013 at 12:27 pm

    Well, this time they really DID screw up. I’ve met plenty of people who had issues with previous supplemental guidance docs, but I more or less liked most of them. This one is a clear FAIL! No clarity, lots of empty volume, etc, etc.

  • 3 John Clark   February 14, 2013 at 4:05 pm

    I’m curious if you see a contradiction in guidance between the 2011 Virtualization Guidance and the Cloud Guidance. One opinion that seems to have changed is the Cloud Guidance indicates that virtual network isolation with some help from physical devices within a host can be acceptable for segmentation.

    For example – pg 14 of the Cloud Guidance:
    “Traditional network segmentation technologies consist of hardware devices such as firewalls, switches, routers, and so forth. These physical components could be used to separate VMs hosted on the same or multiple hypervisors similar to the manner in which systems could be segmented in a “physical” network”

    Pg 21 of the Virtualization Guidance:
    “Unlike separate physical systems, network-based segmentation alone cannot isolate in-scope from out-of-scope components in a virtual environment”

  • 4 Brian   February 14, 2013 at 9:23 pm


    Do you think that this document modifies what level of risk can be transferred via tokenization? With this document placing all of the responsibility in the organization’s court rather than the MSP provider, does that transfer to tokenization vendors as well?

  • 5 Anton Chuvakin   February 14, 2013 at 10:13 pm

    @brian I didn’t feel that the document rebalances the responsibilities differently. Merchant ultimately “owns” PCI DSS.

  • 6 Brian   February 14, 2013 at 10:51 pm

    @ Anton thanks!

  • 7 Anton Chuvakin   February 15, 2013 at 4:24 pm

    @john Yes, I did notice (rather, felt that something changed) in their “approved”/recommended segmentation approaches. IMHO, too early to say what QSAs will make out of it.

  • 8 Analysts in the news, February 19, 2013 | Thomas Ward Lynch   February 20, 2013 at 6:20 pm

    […] Finally, PCI DSS In The Cloud Guidance – Gartner Blog Network Anton Chuvakin is a research director at Gartner’s IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities ……/finally-pci-dss-in-the-cloud-guidance/ […]

  • 9 80 Percent of Merchants Store Unencrypted Payment Card Data on Networks, New Guidelines Issued — Expert Support NJ   February 22, 2013 at 12:35 am

    […] council made a mistake by loading the document with so much stuff,” complained Andre Chuvakin, a Gartner research director for IT1 security and risk management. “Sadly, the whole thing just bears signs […]