Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

2/21/2013
12:58 AM
50%
50%

PCI Council Offers Clarity On Cloud, Mobile Issues

Two new documents released by the council offer guidance on merchant responsibility for cardholder data stored in the cloud, as well as data processed through mobile point-of-sale devices

The PCI Council recently provided merchants with more detailed guidance on two topics most commonly confusing merchants in their pursuit to protect cardholder data and comply with PCI Data Security Standards: cloud storage and mobile payments. Led by merchants, banks, and payment processors participating in the council's community-driven special interest groups, the effort to clear up some of the confusion came to fruition with the publication of two separate documents this month.

The first, PCI DSS Cloud Computing Guidelines Information Supplement (PDF), offers a comprehensive breakdown of merchant and cloud service provider responsibilities for maintaining PCI compliance under a myriad of public and private cloud service models. The second, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users (PDF), provides early advice to merchants in securing cardholder data on mobile devices when using currently unregulated and nonstandardized mobile payment technology, such as Square.

Cloud Guidance
The cloud information supplement builds on an earlier guidance released last year detailing security recommendations for virtualized environments, says Bob Russo, general manager of the PCI Security Standards Council, who reports that more than 100 representatives from merchants, banks, and payment processing vendors collaborated on the latest document. Goal No. 1 was to bust myths some merchants had about their responsibilities as the custodians of cardholder data when sending that data out to public cloud service provider (CSP), even if those providers offer PCI compliance claims.

"The biggest misconception is if I pass all of this stuff out to a cloud environment and someone else processes it all for me, I'm done and I don't have any responsibility," he says. "We're making sure that you as the 'owner' of that data understand what your responsibilities are and what the CSP's responsibilities are because they're not all created alike."

Many QSAs read the document as a confirmation of their early leaning to prefer private cloud arrangements for cardholder storage due to the opacity of infrastructure and operations at many cloud service providers.

"Some people might say the document was really biased toward private cloud -- of course it was. Why would you expect any different?" says Walter Conway, a QSA for 403 Labs. "I've always taken it as a given that, practically speaking, the only way you wanted to go into the cloud with cardholder data is with a private cloud or virtual private cloud because you need that control to make your life easier. But to the council's credit, they then said, 'If you're not going to go private, here's the stuff you need to do.'"

According to Chris Bucolo, senior manager of security consulting for ControlScan, this kind of detailed divvying of responsibilities was "badly needed."

"When we're talking to clients about PCI, and security in general, we get into lots of conversations about cloud computing in the marketplace," he says. "There has been lots of confusion. There's a matrix in the document that shows by the type of service whether PaaS, IaaS, or whatever, who maintains control, if it is shared, and then shows you by PCI requirements how [responsibility] typically pans out."

[How efficient are your compliance practices? See 7 Routes To Reducing The Compliance "Tax".]

Mobile Payment Guidance
Closely following on the heels of the release of the cloud document, the council's publication of its mobile payment information supplement was similarly driven by a special interest group community effort. The goal was to offer merchants some bottom-floor, bare-minimum security practices to put in place around point-of-sale technology residing on mobile devices, Russo says.

"People are putting out all kinds of really good mobile payment solutions. We certainly don't want to stifle that, but we want to make sure the merchant knows that there are risks involved with using them," Russo says. "Who among us hasn't left a mobile device in a cab at some point? And if I'm using this as an acceptance device and it's storing data in it, what happens if I do leave it in a cab?"

The supplement is a stopgap measure as the PCI Council and standards bodies like NIST work to develop security standards for mobile payment acceptance dongles and applications.

"The council is working very hard to figure out what the next steps are, but at the very least this document says, 'Make sure that whatever it is that you use is encrypting that cardholder data before it gets into the device.' Now, is that going to make you secure? Probably not 100 percent. But encrypt to protect yourself until there is a standard out there."

While the document offers solid advice on what is still very burgeoning technology, some PCI compliance experts wonder whether the right people will ever read it, considering that the bulk of mobile payment acceptance use is within the mom-and-pop crowd that may not be as educated in PCI concerns.

"I don't know that the farmers market merchants, plumbers, and roofers who actually use these things would have a clue to read this," Conway says.

Nevertheless, it puts merchants on notice that the power of the processing technology, coupled with the capabilities of smartphones and tablets, has essentially given them a "loaded gun" with respect to cardholder data, Bucolo says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
timsed
50%
50%
timsed,
User Rank: Apprentice
3/8/2013 | 8:37:49 PM
re: PCI Council Offers Clarity On Cloud, Mobile Issues
Great story, Ericka, thanks for reporting on this issue G itGs a vital one.
-
Data security and compliance in the public cloud is a critical topic, and this story raises a number of red flags that anyone responsible for PCI-DSS compliance should be worried about --especially when it is responsible for the handling and disposition of data. We often speak with customers that have been told by public cloud vendors that their cloud services meet compliance and auditing regulations when in fact they are not viewing this from the customerGs standpoint, but their own. The bottom line is this G when it comes to data security, donGt trust anyone to keep your business information safe, thatGs ITGs responsibility. The cloud is a great place to store data, just not sensitive data.
Tim Sedlack
Sr. Product Manager at Dell
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...