As all of you already know, PCI Council has finally released an official “Information Supplement: PCI DSS Cloud Computing Guidelines” [PDF] aka “PCI DSS in the cloud.”
Here are some of my favorite quotes from the 52 page [sadly, a bit, wooly] mammoth of a document:
- “The allocation of responsibility between client and provider for managing security controls does not exempt a client from the responsibly of ensuring that their cardholder data is properly secured according to applicable PCI DSS requirements.” <- merchants, please ponder that one
- “clear responsibilities for operation, management and reporting need to be defined for each [PCI DSS] requirement.” <- obvious, but oh-so-uncommon.
- “The allocation of responsibility for managing security controls does not exempt a client from the responsibility of ensuring that their cardholder data is properly secured.”
- “Where the CSP maintains responsibility for PCI DSS controls, the client is still responsible for monitoring the CSP’s ongoing compliance for all applicable requirements.”
- “Segmentation on a cloud-computing infrastructure must provide an equivalent level of isolation as that achievable through physical network separation.”
- “Any shared infrastructure used to house an in-scope client environment would be in scope for that client’s PCI DSS assessment.”
- “If adequate segmentation is not in place or cannot be verified, the entire cloud environment would be in-scope for any one client’s assessment.”
- “The more security controls the CSP is responsible for, the greater the scope of the CDE will potentially be, thereby increasing the complexity involved in defining and maintaining CDE boundaries.” <- counter-intuitive, but so true! Whoever wrote this particular line, really gets it!
- “by keeping all encryption/decryption and key-management operations isolated from the cloud, the number of PCI DSS requirements that the CSP is required to maintain may be reduced, as these requirements will instead be applicable to the client’s own environment and personnel.” <- read and think about it as well.
- “It can be challenging to collect, correlate, and/or archive all of the logs necessary to meet applicable PCI DSS requirements [in public cloud].” <- I hereby nominate this line for The Understatement of the Year prize
- “Use of a PCI DSS compliant CSP does not result in PCI DSS compliance for the clients.” <- this is a repeat, but it definitely bears repeating!
- “The CSP should ensure that any service offered as being “PCI compliant” is accompanied by a clear and unambiguous explanation, supported by appropriate evidence, of which aspects of the service have been validated as compliant and which have not.”
- “Due diligence is not simply reading the provider’s marketing material or relying on a provider’s claims of “PCI compliance” or secure operations.”
- “End-to-end processes and data flows must be documented across both client and cloud provider networks, so that it is clearly understood where cardholder data is located and how it is traversing the infrastructure.”
Finally, if anybody cares for my opinion, the Council made a mistake by loading the document with so much stuff (BC/DR? Data classification? Evolving Security Technologies?) and thus making the clarity of “PCI in the cloud” guidance unachievable! Honestly, I don’t think anybody (much less merchants, much less smaller, cloud-happy merchants) will ever read it all the way to its end… To top it off, “Appendix D: PCI DSS Implementation Considerations” is an entire new document embedded inside. Sadly, the whole thing just bears signs of being designed by a committee full of members hating each other