Service Providers and PCI Compliance, Part 1 – Cloud Services and Your Obligations Home Insights Blog Service Providers and PCI Compliance, Part 1 – Cloud Services and Your Obligations September 04, 2019 Service Providers and PCI Compliance, Part 1 – Cloud Services and Your Obligations This post is the first in a three-part series dedicated to companies working with service providers relating to PCI compliance. Part 1 (below) focuses on working with cloud service providers and understanding the obligations of your organization and the provider. Part 2 will center on third-party risk management life cycles as they apply to PCI. Part 3 will discuss ways to remediate issues around due diligence deficiencies. The PCI consulting practice at Optiv performs hundreds of PCI-related engagements each year, including ROCs, SAQs, gap assessments, readiness assessments, and executive workshops. One of the frequently-requested topics of conversation is all about PCI compliance in the cloud. We’ll address different facets of this topic in this article. "Cloud" is that overused IT pronoun that has many different meanings in different contexts. We'll address some of these perspectives here. Infrastructure as a Service (IAAS) and PCI Organizations using IAAS as a part of their cardholder data environment (CDE) typically design and implement an environment consisting of servers with their respective operating systems, database management systems, applications, tools, and supporting services; as well as firewalls and other network devices. The IAAS environment will probably utilize a defined demilitarized zone (DMZ). The misnomer of cloud services is that the cloud service provider takes care of all security matters. This assumption is patently WRONG. The fact of the matter is this: no matter where, or in what form, the CDE infrastructure is located, the cloud customer is responsible for all infrastructure-related PCI controls (the only exception is physical security, which we'll cover shortly). An organization that places its workloads in the cloud is responsible for implementing and managing firewalls, intrusion prevention system (IPS), file integrity monitoring (FIM), event logging and alerting, anti-virus, server hardening standards, network architecture, and all of the other controls regarding user and administrative access controls, monitoring, reviews, policies, and so on. From a PCI perspective, moving from an on-prem data center to the cloud absolves an organization of ONLY the physical security controls. However, even here, organizations are not entirely off the hook. Regarding physical security. An organization that is in a co-location or an IAAS environment is still indirectly responsible for physical security. In these situations, organizations need to ascertain whether their co-lo or IAAS providers are themselves PCI compliant. Generally, this is done by asking for their "attestation of compliance" (AOC), a formally signed document that asserts their compliance to applicable PCI controls. If the co-lo or IAAS provider doesn't have this, organizations will have to determine through other means the degree to which they are PCI compliant. Further, in any co-lo or IAAS situation, organizations should complete a PCI Responsibility Matrix. This is a worksheet that details the responsibilities for all PCI controls, specifying which party(ies) are responsible for which controls, and how they test and attest to those controls. The PCI Responsibilities Matrix is available from the PCI Standards Council in the Information Supplement on Third-Party Security Assurance document. While this can be tedious to complete correctly, all parties must understand and agree to their stated responsibilities for PCI controls. Software / Platform as a Service (SAAS/PAAS) and PCI Organizations using SAAS or PAAS environments that are a part of their CDE have an obligation that is similar to the IAAS discussion described earlier. Typically, a SAAS or PAAS environment will have a somewhat larger share of responsibilities than an IAAS service provider. Instead of just being responsible for physical security, a SAAS and PAAS organization will also manage its own network architecture, server security, firewalls, security monitoring, administrative access, and more. Because of the variance among SAAS and PAAS orgs, it’s doubly important to complete a PCI Responsibility Matrix so that there are no ambiguities with regards to responsibilities for every PCI control. This matrix is included in the PCI Standards Council's Information Supplement on Third-Party Security Assurance document. But don’t just skip to the appendix; instead, it is important to understand the narratives as well. Regardless of the type of relationship you have, it is critical as a cloud customer that you clearly understand your responsibilities. Be sure to check our blog soon for Part 2 of this series where will explore these third party relationships in more detail. By: Peter Gregory Director, Information Security Peter Gregory is a director in Optiv's Office of the CISO. He is a leading security technologist and strategist with a long professional history of advancing security technology, compliance and risk management at all levels of corporate culture. He has published more than 40 books and authored more than 30 articles for leading trade publications in print and online. By: Sean Smith A former CISO, Sean has over 20 years of experience in both consulting and enterprise environments in a multitude of industries. He has extensive experience in executive leadership, security technology implementations, vulnerability assessments, penetration testing, auditing, control development, risk and advisory processes. He is experienced with multiple regulatory requirements and frameworks including PCI-DSS, HIPAA, HITECH, NIST, HITRUST, ISO 27001, and Sarbanes-Oxley. He holds a Masters in Information and Communication Sciences and a B.S. in Computer Science from Ball State University. Share: PCI Compliance PCI Compliance Series Cloud Security Risk How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.