What is the cloud?
The image of a cloud brings up an idea of something mysterious and far away, but in reality, “the cloud” is a third-party-managed physical server. The same security controls that apply to data stored on a server apply to data stored “in the cloud.”
Have an Upcoming PCI Audit Deadline?Request a Quote
What is PCI DSS compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security controls, mandated to a merchant by the major credit card brands, if that merchant accepts credit cards.
The 12 requirements of PCI compliance are:
Protect your system with firewalls.
Use adequate configuration standards.
Protect stored data.
Secure data over open and public networks.
Protect systems with antivirus.
Update your systems.
Use unique ID credentials.
Ensure physical security.
Implement logging and log management
Test security systems and processes.
Start documentation and risk assessments.
Can you be PCI compliant and store credit card information in the cloud?
Yes, you can store credit card information in the cloud. But, it must be encrypted. If you can avoid storing credit card data in the first place, it’s a better strategy for PCI DSS compliance and security. It’s not against PCI DSS compliance to keep credit card data in the cloud, you just have to make sure you secure it appropriately with strong encryption and some very specific items such as key rotation. Key rotation is when you retire an encryption key and replace it with a new encryption key. This helps you meet industry standards and follow cryptographic best practices.
PCI DSS Requirement 3 deals with encryption, key access, separation of keys, etc.
Things to keep in mind for PCI DSS compliance in the cloud
There are some considerations to keep in mind if you use cloud server storage and are PCI compliant:
1. Your cloud service provider (CSP) needs an attestation of compliance (AOC).
When you store data on someone else’s server, you don’t have as much control over the infrastructure or data access, so you are relying on them to do a good job. Since a CSP’s business model relies on providing secure data storage, we would assume that they are invested in providing you with a secure infrastructure you can rely on. But, it can’t hurt to do your homework.
That being said, from a PCI perspective, you will want to make sure you have an AOC from your CSP on file. The PCI DSS requires that a business verifies their CSP is PCI DSS compliant on an annual basis in the form of a statement that acknowledges the CSP’s responsibility for PCI DSS compliance. If the CSP is PCI DSS compliant, they should already be providing that to customers anyway.
2. Understand that the cloud is a shared environment and unauthorized access is a concern.
There are more businesses using the cloud infrastructure than just yours. That’s where the big risk lies. In this shared infrastructure, can someone break out of their environment and get unauthorized access to your data? How do you address this risk? Through encryption.
If you are PCI DSS compliant, your stored credit card numbers should already be protected with secure encryption no matter where they are stored. If they are stored in a cloud server environment, they need to be protected even more so. The bottom line is that you are entrusting a third party to protect and restrict access to your sensitive data.
3. You need to know each party’s roles and responsibilities.
Your CSP needs to clearly outline roles, responsibilities, and what will be done with your data. Clearly document what they provide and clearly ensure that you know what you are supposed to do. This is not only best practice, but it’s also a requirement from PCI section 12.
PCI DSS compliance vs HIPAA compliance in the cloud
One major difference between storing protected health information (PHI) and credit card information in the cloud is the level of access: HIPAA requires that you track access to PHI and that you verify the access is appropriate. If you need to be HIPAA compliant in a cloud environment, you need to make sure those features are available in the cloud.
But in the PCI DSS realm, it would be preferable to have NO access to the credit card data stored in the cloud. The less available the credit card data, the better for PCI. If you are a non-healthcare merchant, you will likely still be able to run your business even if you can’t easily access stored credit card data–the bigger concern is data security. If you are a healthcare organization, access to PHI is crucial to both organizational function and HIPAA. Not having access to PHI could cripple your ability to function.
PCI Compliance in the Cloud
PCI DSS compliance is not all that different from PCI DSS compliance as it applies to on-site servers. The same controls are required, but when you use a cloud service provider, you need to take into account a third part and how they may affect your roles and responsibilities. To learn more about what the PCI Security Standards Council has said, check out their supplement, PCI SSC Cloud Guidelines.
George Mateaki (CISSP, CISA, QSA, PA-QSA) was a Security Analyst at SecurityMetrics with an extensive background in Information Security and more than 20 years in IT. He graduated from BYU Hawaii and Hawaii Pacific University with a bachelor’s degree and a master’s degree in Information Systems. George’s hobbies included car/motorcycle/scooter repair, gaming, ethical hacking, DJ/Live Audio Professional Services, and computer repair. He worked in compliance and IT auditing from 2011 to 2020. Sadly, George passed away in September 2020. He was a mentor in our QSA training program, a friend to all, and a great man.