Despite the fact that the industry standard for protecting credit and debit card information doesn't address moving card information to the cloud, it can still be done safely, according to Bridge Point Communications chief information officer Dr David Ross.
Dr David Ross
(Credit: Michael Lee/ZDNet Australia)
Speaking at AusCERT 2012 on the Gold Coast yesterday, Ross said that the Payment Card Industry's (PCI) data-security standard (DSS), which has 12 overarching requirements for how credit and debit card information must be secured, says very little on the cloud, and what it really covers are virtualisation guidelines.
In addition, Ross said that organisations attempting to leverage the cloud for their payment systems are often hit with roadblocks that make it difficult, if not impossible, to attain PCI DSS compliance.
In particular, he said that most cloud providers will not allow customers to inspect their infrastructure or make certain changes, especially in a public cloud environment, where services are shared. The shared nature of public cloud services also means that the audit trail does not go all the way back to the hypervisor, since this would implicate other customers' information.
Nevertheless, Ross did say that it is possible to work with a qualified security assessor to move systems securely to the cloud. The easiest way is to get the cloud provider or a third party to do the entirety of the compliance work, but he stressed that everything still needs to be monitored, and that this would be the most expensive option.
Recognising that most companies would want to know what their other options are, however, Ross ran through several cloud providers that could be used in one way or another while still achieving compliance.
He pointed out that services like Box and Dropbox and Amazon Cloud Drive are not suitable or designed for PCI compliance, noting that these services tend to state that they are not responsible for loss.
Dropbox and Amazon Cloud Drive, in particular, are not suitable, even though data itself is being stored on Amazon S3, which is suitable for PCI-compliance purposes.
Ross said that virtually no Google products are suitable either, including Drive, which he said is often a source of leaked information, due to the poor practice of storing card numbers in spreadsheets and then having these automatically synced to Drive. The only exception is Google Checkout Merchant, which, Ross said, if implemented correctly, would not harm an organisation's PCI compliance.
Microsoft also has certain issues, with the company stating that its Azure Cloud platform undergoes annual PCI DSS audits — but never explicitly stating that its systems are actually compliant. Ross recommends watching and waiting to see whether the company achieves compliance.
Rackspace's mainstream cloud offerings are mostly not compliant, Ross said, but, if organisations choose to use the company's dedicated machines, it would be possible to set up PCI-compliant architecture. He also pointed out that Rackspace has a DSS guide.
Amazon's offerings, aside from Cloud Drive, are essentially completely compliant, Ross said. However, he offered a warning that when a cloud provider states they are complaint, this does not mean that those using their services are automatically made compliant, as well.
"It just stops you from being uncompliant," he said. This compliance is for the services and/or infrastructure that the provider delivers, and that other PCI requirements, such as penetration testing, still need to be conducted.