According to a SecurityMetrics report released last November, 80 percent of merchants don’t encrypt the payment data that they store on their networks. In response, the Payment Cards Industry Security Standards Council recently issued new guidelines for PCI-DSS control in the cloud environment. Most of the guidelines involve the role of the cloud service provider (CSP (News - Alert)).
The three main industries guilty of storing unencrypted payment data are the financial, hospitality and retail industries. Coincidentally, these industries are also the most frequently targeted by cybercriminals.
“At the [Security Standards] Council, we always talk about payment security as a shared responsibility,” noted Bob Russo, the council’s general manager. “And cloud is by nature shared, which means that it's increasingly important for all parties involved to understand their responsibility when it comes to protecting this data.”
One of the biggest takeaways from the guidance is that the merchant is ultimately responsible for protecting card data, not the CSP. The merchant has to continuously monitor the CSP for PCI (News - Alert)-DSS compliance.
“Due diligence is not simply reading the provider’s marketing material or relying on a provider’s claims of ‘PCI compliance’ or secure operations,” the council wrote.
CSPs need to create strong segmentation that isolates encrypted payment card data. Segmentation should be just as strong, said the council, as the isolation achievable through a physical network.
The council also pointed out that keeping certain functions out of the cloud may reduce the compliance burden on the CSP. Specifically, the council referred to encryption/decryption and key-management operations.
Some analysts have criticized the council’s guidance as bloated and unfocused. “The council made a mistake by loading the document with so much stuff,” complained Andre Chuvakin, a Gartner research director for IT1 security and risk management. “Sadly, the whole thing just bears signs of being designed by a committee full of members hating each other.”
Even if the guidance is overstuffed, one thing is clear: the onus is on merchants to develop responsibilities for operations, management and reporting for each PCI-DSS requirement.
Edited by Rachel Ramsey