Risk // Compliance
2/21/2013
12:58 AM
50%
50%

PCI Council Offers Clarity On Cloud, Mobile Issues

Two new documents released by the council offer guidance on merchant responsibility for cardholder data stored in the cloud, as well as data processed through mobile point-of-sale devices

The PCI Council recently provided merchants with more detailed guidance on two topics most commonly confusing merchants in their pursuit to protect cardholder data and comply with PCI Data Security Standards: cloud storage and mobile payments. Led by merchants, banks, and payment processors participating in the council's community-driven special interest groups, the effort to clear up some of the confusion came to fruition with the publication of two separate documents this month.

The first, PCI DSS Cloud Computing Guidelines Information Supplement (PDF), offers a comprehensive breakdown of merchant and cloud service provider responsibilities for maintaining PCI compliance under a myriad of public and private cloud service models. The second, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users (PDF), provides early advice to merchants in securing cardholder data on mobile devices when using currently unregulated and nonstandardized mobile payment technology, such as Square.

Cloud Guidance
The cloud information supplement builds on an earlier guidance released last year detailing security recommendations for virtualized environments, says Bob Russo, general manager of the PCI Security Standards Council, who reports that more than 100 representatives from merchants, banks, and payment processing vendors collaborated on the latest document. Goal No. 1 was to bust myths some merchants had about their responsibilities as the custodians of cardholder data when sending that data out to public cloud service provider (CSP), even if those providers offer PCI compliance claims.

"The biggest misconception is if I pass all of this stuff out to a cloud environment and someone else processes it all for me, I'm done and I don't have any responsibility," he says. "We're making sure that you as the 'owner' of that data understand what your responsibilities are and what the CSP's responsibilities are because they're not all created alike."

Many QSAs read the document as a confirmation of their early leaning to prefer private cloud arrangements for cardholder storage due to the opacity of infrastructure and operations at many cloud service providers.

"Some people might say the document was really biased toward private cloud -- of course it was. Why would you expect any different?" says Walter Conway, a QSA for 403 Labs. "I've always taken it as a given that, practically speaking, the only way you wanted to go into the cloud with cardholder data is with a private cloud or virtual private cloud because you need that control to make your life easier. But to the council's credit, they then said, 'If you're not going to go private, here's the stuff you need to do.'"

According to Chris Bucolo, senior manager of security consulting for ControlScan, this kind of detailed divvying of responsibilities was "badly needed."

"When we're talking to clients about PCI, and security in general, we get into lots of conversations about cloud computing in the marketplace," he says. "There has been lots of confusion. There's a matrix in the document that shows by the type of service whether PaaS, IaaS, or whatever, who maintains control, if it is shared, and then shows you by PCI requirements how [responsibility] typically pans out."

[How efficient are your compliance practices? See 7 Routes To Reducing The Compliance "Tax".]

Mobile Payment Guidance
Closely following on the heels of the release of the cloud document, the council's publication of its mobile payment information supplement was similarly driven by a special interest group community effort. The goal was to offer merchants some bottom-floor, bare-minimum security practices to put in place around point-of-sale technology residing on mobile devices, Russo says.

"People are putting out all kinds of really good mobile payment solutions. We certainly don't want to stifle that, but we want to make sure the merchant knows that there are risks involved with using them," Russo says. "Who among us hasn't left a mobile device in a cab at some point? And if I'm using this as an acceptance device and it's storing data in it, what happens if I do leave it in a cab?"

The supplement is a stopgap measure as the PCI Council and standards bodies like NIST work to develop security standards for mobile payment acceptance dongles and applications.

"The council is working very hard to figure out what the next steps are, but at the very least this document says, 'Make sure that whatever it is that you use is encrypting that cardholder data before it gets into the device.' Now, is that going to make you secure? Probably not 100 percent. But encrypt to protect yourself until there is a standard out there."

While the document offers solid advice on what is still very burgeoning technology, some PCI compliance experts wonder whether the right people will ever read it, considering that the bulk of mobile payment acceptance use is within the mom-and-pop crowd that may not be as educated in PCI concerns.

"I don't know that the farmers market merchants, plumbers, and roofers who actually use these things would have a clue to read this," Conway says.

Nevertheless, it puts merchants on notice that the power of the processing technology, coupled with the capabilities of smartphones and tablets, has essentially given them a "loaded gun" with respect to cardholder data, Bucolo says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
timsed
50%
50%
timsed,
User Rank: Apprentice
3/8/2013 | 8:37:49 PM
re: PCI Council Offers Clarity On Cloud, Mobile Issues
Great story, Ericka, thanks for reporting on this issue G«Ű itG«÷s a vital one.

Data security and compliance in the public cloud is a critical topic, and this story raises a number of red flags that anyone responsible for PCI-DSS compliance should be worried about --especially when it is responsible for the handling and disposition of data. We often speak with customers that have been told by public cloud vendors that their cloud services meet compliance and auditing regulations when in fact they are not viewing this from the customerG«÷s standpoint, but their own. The bottom line is this G«Ű when it comes to data security, donG«÷t trust anyone to keep your business information safe, thatG«÷s ITG«÷s responsibility. The cloud is a great place to store data, just not sensitive data.
Tim Sedlack
Sr. Product Manager at Dell
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.