Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

Businesses cannot claim PCI DSS compliance because they contract with compliant cloud provider, says payment card industry body


Businesses that use cloud computing providers that are certified as being compliant with data security standards in the payment card industry cannot automatically claim to be compliant with those standards themselves, according to an industry body.

In new guidance it has issued, the Payment Card Industry (PCI) Security Standard Council (52-page / 1.17MB PDF) said that the PCI Data Security Standards (DSS) rules, which govern payment security, apply whenever payment card data is "stored, processed or transmitted in a cloud environment". However, it said that businesses that use cloud service providers (CSPs) that are validated as being compliant with PCI DSS cannot themselves rely on their providers' compliance as demonstrating their own adherence to those rules.

"Use of a PCI DSS compliant CSP does not result in PCI DSS compliance for the clients," the Council said. "The client must still ensure they are using the service in a compliant manner, and is also ultimately responsible for the security of their [cardholder data] – outsourcing daily management of a subset of PCI DSS requirements does not remove the client’s responsibility to ensure [cardholder data] is properly secured and that PCI DSS controls are met."

"The client therefore must work with the CSP to ensure that evidence is provided to verify that PCI DSS controls are maintained on an ongoing basis—an Attestation of Compliance (AOC) reflects a single point in time only; compliance requires ongoing monitoring and validation that controls are in place and working effectively. Even where a cloud service is validated for certain PCI DSS requirements, this validation does not automatically transfer to the client environments within that cloud service," it said.

PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions.

The PCI Security Standard Council, which comprises major payment card brands including American Express, Visa and MasterCard, said that CSPs should be able to provide their clients with proof that they have been validated as being PCI DSS compliant. This evidence should include "proof of compliance documentation ..; documented evidence of system components and services that were included in the PCI DSS assessment; documented evidence of system components and services that were excluded from the PCI DSS assessment, as applicable to the service; appropriate contract language, if applicable," it said.

Businesses should also go through a "thorough due-diligence process" to assess CSPs' security offerings, it said.

"Due diligence is not simply reading the provider’s marketing material or relying on a provider’s claims of 'PCI compliance' or secure operations," the guidance said. "Clients should be sufficiently assured that they are engaging with a provider that can meet their security and operational needs before undertaking any such engagements."

The Council said that businesses and their CSPs need to divide responsibilities for payment card security between them. It said that the sharing of those responsibilities will differ depending on whether organisations are using a private, public, community or hybrid cloud model.

The Council said that even if CSPs are responsible for "managing security controls", the business clients would still be responsible for "ensuring that their cardholder data is properly secured".

"As a general rule, the more aspects of a client’s operations that the CSP manages, the more responsibility the CSP has for maintaining PCI DSS controls," it said. "However, outsourcing maintenance of controls is not the same as outsourcing responsibility for the data overall. Cloud customers should not make assumptions about any service, and should clearly spell out in contracts, memorandums of understanding, and/or SLAs (service level agreements) exactly which party is responsible for securing which system components and processes."

The SLAs should "clearly identify the delineation of responsibilities between parties, including responsibilities for implementing and managing different security controls" and "should be established as a prerequisite to any cloud service implementation", it added.

The Council's guidance sets out each of the 12 PCI DSS principles and provides a hypothetical example of how responsibility for compliance with each of them could be divided up or shared between a CSP and a business.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.