Thursday, 17 June 2010

Cloud Computing: Would PCI Compliance Help or Hurt Security?

Can cloud computing environments meet PCI compliance standards? Security experts say they can't answer that question yet. But the bigger question is whether meeting PCI standards would actually improve cloud security.

These days it's not that great a compliment to say something's as safe as banks, let alone credit cards or those swipe-card readers at the convenience store.

Still, the possibility—raised in the press and on user forums—that cloud security would be included in the most recent update of the ubiquitous Payment Card Industry's Data Security Standards (PCI DSS) sparked debates on whether requirements designed to protect credit-card data would actually make cloud services less secure.
"PCI can give you a baseline of things you can use to measure security, and some people overuse it for that, according to Josh Corman, analyst at The 451 Group. "The problem is the requirements are specific, but only for the parts of your system that you use to process credit cards. If I were shot dead in an alley but the mugger couldn't get my credit cards, the PCI standards would be satisfied."

Every merchant in the U.S. that accepts credit cards must comply with PCI requirements, which become more stringent as the volume of transactions rises. The rules cover 12 major categories, including encryption of credit-card data at the point of sale, during transmission to clearinghouses, and physical security of data centers where credit-card data are stored.

PCI Lacks Virtualization Specifics

Even PCI-compliant merchants don't like the standard much, however, according to a 2009 study from the Ponemon Institute, which found only 29 percent consider it a strategic initiative. 44 percent think it improves security and 60 percent lack the budget to be fully compliant, according to Ponemon's data.
Small- and mid-sized companies actually improve security moving to clouds, which are professionally managed and secured, concluded a September study from the Fraunhofer Institute for Secure Information Technology.
Today, there is literally no way to know if even a secure system could pass a PCI audit if it were based in a cloud, because there are no specific standards for virtual environments of any kind, Corman says.
The PCI Security Standards Council is indeed releasing updates to its standards, including more detailed guidance on how to secure contactless payments using EMV chips in credit cards.
However, the council will not offer much help defining how to secure credit-card or any other data on virtual infrastructures or cloud environments, according to Bob Russo, general manager of the council.
The council does have a group working on virtualization "of which cloud computing is one type," but "at this time the Council does not have plans to release separate guidance on cloud computing," Russo says in an e-mail responding to questions.

No comments: