PCI Council Offers Clarity On Cloud, Mobile Issues

The PCI Council recently provided merchants with more detailed guidance on two topics most commonly confusing merchants in their pursuit to protect cardholder data and comply with PCI Data Security Standards: cloud storage and mobile payments. Led by merchants, banks, and payment processors participating in the council's community-driven special interest groups, the effort to clear up some of the confusion came to fruition with the publication of two separate documents this month.

The first, PCI DSS Cloud Computing Guidelines Information Supplement (PDF), offers a comprehensive breakdown of merchant and cloud service provider responsibilities for maintaining PCI compliance under a myriad of public and private cloud service models. The second, PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users (PDF), provides early advice to merchants in securing cardholder data on mobile devices when using currently unregulated and nonstandardized mobile payment technology, such as Square.

Cloud Guidance
The cloud information supplement builds on an earlier guidance released last year detailing security recommendations for virtualized environments, says Bob Russo, general manager of the PCI Security Standards Council, who reports that more than 100 representatives from merchants, banks, and payment processing vendors collaborated on the latest document. Goal No. 1 was to bust myths some merchants had about their responsibilities as the custodians of cardholder data when sending that data out to public cloud service provider (CSP), even if those providers offer PCI compliance claims.

"The biggest misconception is if I pass all of this stuff out to a cloud environment and someone else processes it all for me, I'm done and I don't have any responsibility," he says. "We're making sure that you as the 'owner' of that data understand what your responsibilities are and what the CSP's responsibilities are because they're not all created alike."

Many QSAs read the document as a confirmation of their early leaning to prefer private cloud arrangements for cardholder storage due to the opacity of infrastructure and operations at many cloud service providers.

"Some people might say the document was really biased toward private cloud -- of course it was. Why would you expect any different?" says Walter Conway, a QSA for 403 Labs. "I've always taken it as a given that, practically speaking, the only way you wanted to go into the cloud with cardholder data is with a private cloud or virtual private cloud because you need that control to make your life easier. But to the council's credit, they then said, 'If you're not going to go private, here's the stuff you need to do.'"

According to Chris Bucolo, senior manager of security consulting for ControlScan, this kind of detailed divvying of responsibilities was "badly needed."

"When we're talking to clients about PCI, and security in general, we get into lots of conversations about cloud computing in the marketplace," he says. "There has been lots of confusion. There's a matrix in the document that shows by the type of service whether PaaS, IaaS, or whatever, who maintains control, if it is shared, and then shows you by PCI requirements how [responsibility] typically pans out."

[How efficient are your compliance practices? See 7 Routes To Reducing The Compliance "Tax".]

Mobile Payment Guidance
Closely following on the heels of the release of the cloud document, the council's publication of its mobile payment information supplement was similarly driven by a special interest group community effort. The goal was to offer merchants some bottom-floor, bare-minimum security practices to put in place around point-of-sale technology residing on mobile devices, Russo says.

"People are putting out all kinds of really good mobile payment solutions. We certainly don't want to stifle that, but we want to make sure the merchant knows that there are risks involved with using them," Russo says. "Who among us hasn't left a mobile device in a cab at some point? And if I'm using this as an acceptance device and it's storing data in it, what happens if I do leave it in a cab?"

The supplement is a stopgap measure as the PCI Council and standards bodies like NIST work to develop security standards for mobile payment acceptance dongles and applications.

"The council is working very hard to figure out what the next steps are, but at the very least this document says, 'Make sure that whatever it is that you use is encrypting that cardholder data before it gets into the device.' Now, is that going to make you secure? Probably not 100 percent. But encrypt to protect yourself until there is a standard out there."

While the document offers solid advice on what is still very burgeoning technology, some PCI compliance experts wonder whether the right people will ever read it, considering that the bulk of mobile payment acceptance use is within the mom-and-pop crowd that may not be as educated in PCI concerns.

"I don't know that the farmers market merchants, plumbers, and roofers who actually use these things would have a clue to read this," Conway says.

Nevertheless, it puts merchants on notice that the power of the processing technology, coupled with the capabilities of smartphones and tablets, has essentially given them a "loaded gun" with respect to cardholder data, Bucolo says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.