To complement the PCI Council’s cloud computing guidelines, CipherCloud has outlined five steps for achieving PCI DSS compliance in the cloud. PCI Council’s guidelines for cloud appliances provide a framework for storage, processing and transmission of cardholder information in any cloud environment (SaaS, PaaS, IaaS, hosted email). The Council’s 52-page guidance calls for shared responsibility between cloud providers and cloud customers, including banks, merchants, service providers, and payment processors to ensure that cardholder data is protected and PCI-DSS compliant.
While the document advocates shared responsibility between cloud providers and customers, the recommendation lays out new security responsibilities for cloud customers to protect their cardholder data according to applicable PCI DSS requirements. It also specifies that customers need to understand and have a level of oversight and visibility into their cloud provider’s security functions.
In the absence of these new guidelines, cloud customers assumed that the cloud provider satisfied many of the PCI requirements and they started to rely on cloud providers to take care of most of the PCI requirements. This new guidance is an eye-opener as it clarifies that cloud customers cannot shift responsibility to their cloud providers. Cloud customers are still responsible for ensuring their cardholder data is secure.
Under the new guidelines, cloud customers who have been hesitant to go to the cloud now have clear guidance and choices: encrypt their cardholder data before sending it to cloud to minimize PCI scope, send their unencrypted cardholder data to the cloud and thus extend the PCI DSS scope to the cloud service, or refrain from sending their cardholder data to the cloud.
CipherCloud’s recommendations for safeguarding cardholder and payment information and complying with the new PCI Cloud security guidelines include:
- Cloud Encryption of Cardholder Data: As noted by the PCI Council, “ensuring that clear-text account data is never accessible in the cloud may also assist to reduce the number of PCI DSS requirements applicable to the cloud environment.” This can be achieved by applying the CipherCloud gateway to encrypt sensitive pieces of cardholder information transparently in real time before they are sent to the cloud using operations-preserving encryption and tokenization that do not impact the usability of the applications.
- Customers Retain Encryption Key Control: With CipherCloud’s approach encryption key management remains in the hands of the cloud customers. This contrasts sharply with other approaches in which the cloud provider retains control over the keys that can decrypt cardholder information. This ensures that payment information remains secure even if a cloud provider is compromised.
- Key Management: The keys need to be stored and managed independently from the encrypted data. At a minimum they should be maintained in a completely separate network segment, and preferably not accessible by the cloud provider.
- Full Data Sovereignty and Legal Compliance: Due to the dynamic nature of cloud operations, it may not be known in which country the information is actually stored and whether it’s accessible by foreign authorities and system administrators. This may result in concerns over data ownership and potential conflicts between domestic or international jurisdictional and regulatory requirements. By encrypting the data before sending it to the cloud, cloud customers using CipherCloud can be assured that no information will be shared, even with law enforcement, without their direct involvement.
- Restrict Business Card Holder Data On Need-to-Know Basis: By exclusively controlling the decryption keys, the data owner can be confident that all data access is controlled by their own authorized personnel and will comply with the organization’s internal need-to-know policies. No one at the cloud provider can access the information.
“These new PCI Cloud guidelines are very helpful,” said Pravin Kothari, founder and CEO of CipherCloud. “They provide very important clarifications to cloud customers as to their responsibility for protecting their cardholder data in the cloud, as well as defining clear steps for customers that have been hesitant to adopt the cloud on how to do so.”
Globally, CipherCloud has more than 1.2 million users. Over 100 million customer records are protected by CipherCloud’s 256-bit encryption gateways, this allows organizations to retain control over data in transit and at-rest in the cloud.