When the Payment Card Industry Security Standards Council (PCI SSC) issued the initial Data Security Standards (DSS) in 2004 for any company that stores, processes or transmits payment card data, they did not plan on cloud computing becoming as prevalent in the industry as it has. Newer versions of the DSS added requirements covering new technologies and concepts but the focus was not oriented towards cloud computing. PCI addressed this by publishing Cloud Computing Guidelines as a supplement to the DSS. Due to many of the cloud’s built-in services and tools, a company’s compliance burden can actually be reduced if done right. Let’s cover the basics first.
Shared Responsibility Model
Moving to the cloud shifts some of your compliance requirements to the cloud provider. PCI’s cloud computing guidelines break down the shared responsibility model that companies inherit when they leverage cloud services, as shown in the table below.
This table shows how using cloud services can shift PCI compliance requirements to a cloud provider. For example, leveraging cloud services such as Infrastructure-as-a-Service (IaaS) will remove a company’s responsibility for maintaining physical controls. Using Software-as-a-Service (SaaS) shifts even more responsibilities to the cloud provider, such as no longer being responsible for operating systems. Shifting responsibilities for PCI controls to a cloud provider can dramatically reduce the compliance burden. This should be a consideration when determining a hosting strategy for your PCI environment.
When performing a PCI assessment, companies should reach out to their cloud providers and request a PCI Attestation of Compliance (AoC) and a list of services that this covers. The AoC is used as evidence that PCI controls are in place for the requirements that the provider is responsible for, based on the table above. The company is still responsible for “customer” controls and many of those in the “shared” controls. Information on AoCs for major cloud providers can be found:
Remember that using a PCI certified cloud provider does NOT mean your environment is PCI certified - you still have to implement the controls you have responsibility for.
PCI Assessments in the Cloud
Implementing and assessing PCI controls in the cloud provides many ways to leverage automation to ensure controls are in place. (One of the key advantages for compliance in the cloud is to use automation everywhere.)
Scoping a PCI environment is one of the more difficult aspects of PCI DSS, whether your environment is on-premise, in the cloud, or a hybrid setup. One of the goals of PCI is to reduce the attack surface of the PCI in-scope systems to better protect cardholder data. Due to this, the compliance burden is reduced when you have a smaller in-scope environment. PCI provides detailed guidance on how to scope and segment your environments. These need to be carefully reviewed to ensure that systems listed as “out of scope” are truly out of scope.
Implementing controls within a cloud environment is similar to on-premise designs, with the major difference being the use of virtual controls. For example, network controls must be in place, such as firewalls and intrusion detection. These can be accomplished using cloud-native tools (such as AWS network firewalls) or by leveraging third-party solutions running virtually (e.g. Palo Alto firewalls). Additional controls, such as encryption, can be handled natively in most cloud environments (e.g. Google Cloud KMS and HSM). When determining your controls strategy keep in mind that cloud-native controls integrate into the cloud better and offer more opportunity for automation, which will help ease the compliance workload.
An advantage of PCI compliance in the cloud is the use of automation. While you can pass an assessment doing manual validation of your controls, this takes time and is only a point-in-time snapshot of your compliance posture. All of the major cloud providers have automated tools that allow you to continually validate that your PCI controls are in place and can even notify when one is removed. (You can actually build in automation to remediate non-compliant controls immediately when you truly embrace the automation capabilities of the cloud.) Below is a summary of these tools in the three major cloud providers:
- Amazon Web Services
- Google Cloud Platform
- Microsoft Azure
Additionally, there are many third party tools that will also track your compliance posture, which may be worthwhile to pursue if you need to track compliance in a multi-cloud environment.
PCI compliance within cloud environments can be easier than expected, especially if you leverage cloud-native toolsets and automation. Do your research prior to implementing PCI workloads and your compliance burden may be dramatically reduced. If you have questions about the nuances of PCI or any compliance in the cloud, definitely reach out to us at ScaleSec as we specialize in those areas.