The PCI Security Standards Council announced on Thursday that it has published new guidelines around the use of PCI DSS in the cloud.
Businesses who deploy cloud technology can use the PCI DSS Cloud Computing Guidelines Information Supplement to choose solutions and third-party cloud providers that will help them secure payment data and support PCI DSS compliance.
The new guidlines bring together expertise from more than 100 global organizations representing banks, merchants, security assessors and technology vendors. It aims to address security challenges for different cloud architectures, and helps businesses understand their PCI DSS responsibilities.
Cloud compliance can be extremely confusing for businesses, and as a result, cloud providers like ITX Design have launched solutions around simplifying cloud compliance for ecommerce vendors. These kinds of compliance services are pertinent as businesses continue to cite compliance as a major concern with cloud deployments. A recent study by Symantec finds only 40 percent said that they are sure their cloud providers certificates comply with internal standards.
The information supplement could be useful to merchants considering using cloud technologies with cardholder data, and any third-party service provider that provides PCI DSS compliant cloud services.
The supplement provides guidance around common deployment and service models for cloud environments, outlines different roles and responsibilities across different cloud models, PCI DSS considerations and PCI DSS compliance challenges.
The information supplement can be downloaded from the documents library on the PCI SSC website. The guidance provided in the document is supplemental, and does not supercede or replace any PCI DSS requirements.
“At the Council, we always talk about payment security as a shared responsibility. And cloud is by nature shared, which means that it’s increasingly important for all parties involved to understand their responsibility when it comes to protecting this data,” Bob Russo, general manager, PCI Security Standards Council. “It’s great to see this guidance come to fruition, and we’re excited to get it into the hands of merchants and other organizations looking to take advantage of cloud technology in a secure manner.”
Talk back: Have you reviewed the PCI DSS information supplement? Is your cloud PCI DSS compliant? Let us know in a comment.