The rules will change in October 2013
Steep penalties make card data protection a high stakes proposition and, as many will no doubt be aware, the Payment Card Industry Data Security Standards (PCI DSS) Council is due to publish a revision to the standard in October this year, making PCI top of mind in 2013.
By Kurt Hagerman, director of information security, FireHost
Online retailers that use website hosting services need to ensure that, if they are taking payments via their sites, the hosting companies they use are meeting the requirements of the PCI standard. However, with PCI DSS, the theory is simpler than the practice when it comes to the role of the hosting provider.
The current PCI DSS validation reporting process for hosting providers does not provide enough delineation between the various types of services that they are providing. In addition, the PCI standard’s service provider ‘Attestation of Compliance’ (AOC) is not clear about what is specifically included in individual hosting provider assessments.
This causes significant confusion for ecommerce merchants and businesses handling credit card payments when trying to determine exactly which DSS controls a particular hosting provider covers. It also makes it very difficult for businesses shopping for an outsourced hosting provider to compare the level of DSS compliance that will be supplied.
What to watch for, when considering the cloud for your business
Since PCI compliance is a must-have for any business handling payment card data, online merchants attempt to limit the scope of compliance by reducing the amount of sensitive data that they process and store.
Many merchants are creating what some call “payment islands” by consolidating all payment card processing and storage functionality into a single environment that is easier for them to apply the PCI DSS controls.
Many of these same merchants are looking to outsource these payment islands to hosting providers who offer services that cover the majority of the technical PCI DSS controls and who are validated as PCI compliant for these services.
Although cloud hosting providers are increasingly keen to attract these types of environments, targeted at ecommerce and PCI compliance, it’s important that merchants don’t come up short when outsourcing PCI compliance responsibilities.
Where problems may come to light for merchants is in the broad subject matter covered by the PCI DSS regulations; more specifically, differentiating their own responsibilities from those covered by their cloud hosting providers. PCI DSS governs the processing, transmission and storage of confidential card payment data – this standard covers all aspects of credit card payments, from how to deal with paper credit card slips to anti-virus software. Cloud hosting providers may make bold PCI compliance claims, yet online retailers seeking to implement cloud hosting should beware. In reality, most cloud providers only cover some of the more easily achieved controls, such as 9.1 (‘Restrict physical access to the place where the data is stored’) and requirement 12 (‘Maintain a policy that addresses information security for employees and contractors’).
As a result, more technical controls, like anti-virus, web application protection, system patching and log management would instead be left for an online retailer to arrange themselves. Even when these measures are neglected by a cloud hosting provider, the end result of addressing minor controls like nine and 12 is still the same – the cloud hosting provider is still considered PCI compliant and can market itself that way, despite maybe not changing a single feature of its product set. In addition, the current validation document, the Attestation of Compliance (AOC), does not provide a way to differentiate between cloud hosting firms that have taken a minimalist approach, versus those that have had more services validated.
Will changes be made?
The current situation is far from ideal and it stands to reason that a change of direction is sorely needed in the next version of the PCI DSS. Simple, practical changes to the AOC could have a major impact, but two approaches in particular would help online retailers in their selection of a cloud hosting provider.
Option 1: Further clarify the standard for the various types of cloud hosting
The next logical step could be to provide more clarity around each individual PCI control as it relates to the different types of cloud hosting services available. This would help online retailers understand how much (or how little) of the PCI DSS regulations each cloud hosting provider covers.
One potential solution would be to provide better-defined categories in Part 2A of the AOC for hosting providers. The current categories are: Hosting Provider – Web; Hosting Provider – Hardware: Network Provider/Transmitter: and Managed Services, but this section has limited definition or guidance provided.
New categories should be formed such that they provide some clear delineation for the services included in the assessment. One way to approach this would be to create categories that align with the three basic categories for cloud services: IaaS, PaaS and SaaS.
Another could be to create categories that generally follow the OSI (Open Systems Interconnect) model and group services based on the layer (and associated DSSS controls) that are included.
Option 2: Modify and/or extend the Attestation of Compliance, so control category compliance is clearly communicated.
The AOC lists the 12 control requirement categories in the PCI DSS, but it should be extended to also contain the details regarding the specific PCI DSS controls that were included in an official PCI auditor’s assessment of the cloud hosting provider.
This method would provide more detail and clarity to describe the specific DSS controls that a cloud hosting provider had included in their assessment, which would give online retailers a clearer picture of the level of PCI compliance on offer.
Combining these two approaches would provide the best solution, lifting the fog and making it easier for online retailers to understand the exact level of PCI compliance that various cloud hosting providers can provide.
With the SSC currently debating the upcoming revisions to the DSS standard, version 3.0, hearing from interested parties could potentially influence the outcome. The ecommerce industry has plenty to gain by making its collective voice heard and should certainly look to do so before it’s too late.
Read more at www.firehost.com
Speak Your Mind