Ensuring PCI DSS Compliance in the Cloud: Service Provider Due Diligence, Part 1

posted in: SSIC Americas | 0

By Allan Pelais de Queiroz, SSIC Senior Consultant and Certified PCI-DSS QSA

Your company is transitioning to or leveraging the cloud. So what do you need to consider to ensure compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) in a cloud environment?

Clearly the aspects of price, availability, storage speed, data retention, as well as other goodies a service provider can offer, are important. However, if you are moving card holder data to a cloud-based card data environment, the key factor to consider is the cloud service provider itself and specifically whether you will share responsibilities with the provider.

For this activity, I recommend a data flow review and a gap analysis.

  • Data flow review: The cardholder data flow diagrams identify any occurrence and location of all cardholder data. This is the first opportunity to confirm how the service provider will transmit, process, and store card holder data.
  • Gap analysis: As part of the gap analysis, it’s important to validate whether the entity is compliant with all applicable requirements of the current PCI-DSS standard, identify any requirements that could not be met, and then recommend solutions to demonstrate compliance with the related requirement. During this period, the assessor should validate all relevant controls, data flows, and documentation. Use this as your chance to learn about any instances of non-compliance with PCI.

Here are common questions you may identify during a gap analysis:

  • Who will manage the firewall?
  • Who will manage the keys for card holder data encryption?
  • And finally, how does the service provider answer the questions above?

Most likely, you will identify gaps that require remediation after performing the gap analysis. How willing is your cloud service provider to help you? Can you work together to remediate any issues?

In my next post, I will cover the requirements to manage service providers with whom cardholder data is shared, and how that could affect the security of cardholder data.