Risk // Compliance
2/21/2013
00:58 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

PCI Council Offers Clarity On Cloud, Mobile Issues

Two new documents released by the council offer guidance on merchant responsibility for cardholder data stored in the cloud, as well as data processed through mobile point-of-sale devices

The PCI Council recently provided merchants with more detailed guidance on two topics most commonly confusing merchants in their pursuit to protect cardholder data and comply with PCI Data Security Standards: cloud storage and mobile payments. Led by merchants, banks, and payment processors participating in the council's community-driven special interest groups, the effort to clear up some of the confusion came to fruition with the publication of two separate documents this month.

The first, PCI DSS Cloud Computing Guidelines Information Supplement (PDF), offers a comprehensive breakdown of merchant and cloud service provider responsibilities for maintaining PCI compliance under a myriad of public and private cloud service models. The second, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users (PDF), provides early advice to merchants in securing cardholder data on mobile devices when using currently unregulated and nonstandardized mobile payment technology, such as Square.

Cloud Guidance
The cloud information supplement builds on an earlier guidance released last year detailing security recommendations for virtualized environments, says Bob Russo, general manager of the PCI Security Standards Council, who reports that more than 100 representatives from merchants, banks, and payment processing vendors collaborated on the latest document. Goal No. 1 was to bust myths some merchants had about their responsibilities as the custodians of cardholder data when sending that data out to public cloud service provider (CSP), even if those providers offer PCI compliance claims.

"The biggest misconception is if I pass all of this stuff out to a cloud environment and someone else processes it all for me, I'm done and I don't have any responsibility," he says. "We're making sure that you as the 'owner' of that data understand what your responsibilities are and what the CSP's responsibilities are because they're not all created alike."

Many QSAs read the document as a confirmation of their early leaning to prefer private cloud arrangements for cardholder storage due to the opacity of infrastructure and operations at many cloud service providers.

"Some people might say the document was really biased toward private cloud -- of course it was. Why would you expect any different?" says Walter Conway, a QSA for 403 Labs. "I've always taken it as a given that, practically speaking, the only way you wanted to go into the cloud with cardholder data is with a private cloud or virtual private cloud because you need that control to make your life easier. But to the council's credit, they then said, 'If you're not going to go private, here's the stuff you need to do.'"

According to Chris Bucolo, senior manager of security consulting for ControlScan, this kind of detailed divvying of responsibilities was "badly needed."

"When we're talking to clients about PCI, and security in general, we get into lots of conversations about cloud computing in the marketplace," he says. "There has been lots of confusion. There's a matrix in the document that shows by the type of service whether PaaS, IaaS, or whatever, who maintains control, if it is shared, and then shows you by PCI requirements how [responsibility] typically pans out."

[How efficient are your compliance practices? See 7 Routes To Reducing The Compliance "Tax".]

Mobile Payment Guidance
Closely following on the heels of the release of the cloud document, the council's publication of its mobile payment information supplement was similarly driven by a special interest group community effort. The goal was to offer merchants some bottom-floor, bare-minimum security practices to put in place around point-of-sale technology residing on mobile devices, Russo says.

"People are putting out all kinds of really good mobile payment solutions. We certainly don't want to stifle that, but we want to make sure the merchant knows that there are risks involved with using them," Russo says. "Who among us hasn't left a mobile device in a cab at some point? And if I'm using this as an acceptance device and it's storing data in it, what happens if I do leave it in a cab?"

The supplement is a stopgap measure as the PCI Council and standards bodies like NIST work to develop security standards for mobile payment acceptance dongles and applications.

"The council is working very hard to figure out what the next steps are, but at the very least this document says, 'Make sure that whatever it is that you use is encrypting that cardholder data before it gets into the device.' Now, is that going to make you secure? Probably not 100 percent. But encrypt to protect yourself until there is a standard out there."

While the document offers solid advice on what is still very burgeoning technology, some PCI compliance experts wonder whether the right people will ever read it, considering that the bulk of mobile payment acceptance use is within the mom-and-pop crowd that may not be as educated in PCI concerns.

"I don't know that the farmers market merchants, plumbers, and roofers who actually use these things would have a clue to read this," Conway says.

Nevertheless, it puts merchants on notice that the power of the processing technology, coupled with the capabilities of smartphones and tablets, has essentially given them a "loaded gun" with respect to cardholder data, Bucolo says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
timsed
50%
50%
timsed,
User Rank: Apprentice
3/8/2013 | 8:37:49 PM
re: PCI Council Offers Clarity On Cloud, Mobile Issues
Great story, Ericka, thanks for reporting on this issue G itGs a vital one.
-
Data security and compliance in the public cloud is a critical topic, and this story raises a number of red flags that anyone responsible for PCI-DSS compliance should be worried about --especially when it is responsible for the handling and disposition of data. We often speak with customers that have been told by public cloud vendors that their cloud services meet compliance and auditing regulations when in fact they are not viewing this from the customerGs standpoint, but their own. The bottom line is this G when it comes to data security, donGt trust anyone to keep your business information safe, thatGs ITGs responsibility. The cloud is a great place to store data, just not sensitive data.
Tim Sedlack
Sr. Product Manager at Dell
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6212
Published: 2014-04-19
Unspecified vulnerability in HP Database and Middleware Automation 10.0, 10.01, 10.10, and 10.20 before 10.20.100 allows remote authenticated users to obtain sensitive information via unknown vectors.

CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2013-6215
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 10.01 and 10.10 allows remote authenticated users to execute arbitrary code via unknown vectors, aka ZDI-CAN-1977.

CVE-2013-6218
Published: 2014-04-19
Unspecified vulnerability in HP Network Node Manager i (NNMi) 9.0x, 9.1x, and 9.2x allows remote attackers to execute arbitrary code via unknown vectors.

Best of the Web