Staying compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS) in a cloud computing environment can be challenging for organizations, and PCI-compliant cloud providers are not the end-all solution. Organizations must successfully manage and maintain compliance when making the transition to the cloud.
This SearchCloudSecurity.com cloud computing compliance guide discusses several aspects of PCI and cloud computing, including virtualization in the cloud, what you need to know about compliance and cloud providers, Web security in the cloud and log management.
the PCI virtualization guidance means for PCI compliance in the cloud
The PCI Security Standards Council’s recent guidance on virtualization comes as a mixed blessing for many organizations. In one aspect, many have been anxiously waiting for PCI virtualization guidance since the standard was first published. But, on the downside, many of the decisions and assumptions made by organizations in regard to virtualization will end up being wrong, requiring extra spending and effort to achieve compliance.
In this tip from security expert Ed Moyle, learn what the PCI virtualization guidance means for PCI compliance in the cloud, and how the recent virtualization shows that PCI compliance in the cloud is a shared responsibility.
DSS compliant cloud providers: No PCI panacea
When a cloud service provider says it’s been validated as PCI DSS compliant, what does that mean for the enterprise customer? According to security experts, organizations shouldn’t expect a PCI-validated cloud provider to relieve them of their PCI obligations. To be PCI DSS compliant, tenants still have PCI obligations.
In this article, learn why PCI DSS compliant cloud providers are no panacea for organizations’ PCI DSS obligations.
Chenxi Wang, principal analyst with Forrester, discusses her
recent research report, "Compliance with Clouds: Caveat Emptor" and the issues involved with
maintaining compliance with PCI, SOX and HIPAA and using cloud-based services.
the PCI requirement for Web security in the cloud
When it comes to Payment Card Industry Data Security Standard compliance, not all of the 12 requirements are created equal, at least when it comes to implementation complexity. Specifically, compliance with PCI DSS Requirement 6.6 for Web application security has always been difficult for organizations to address, and it only becomes more complicated in a cloud environment.
In this tip, Ed Moyle discusses Requirement 6.6 in the cloud and explains how organizations can achieve compliance with the requirement and improve Web security in the cloud.
to handle PCI DSS requirements for log management in the cloud
Because PCI DSS requirements, particularly those related to log management, are so prescriptive, organizations that must comply with PCI DSS and its log management requirements must do careful planning when using a cloud service. Vendors may not have addressed the requirements fully and/or customer-implemented controls may not be successful in a cloud computing environment.
Here, Ed Moyle defines PCI DSS requirements for logging, and explains how organizations can properly handle and manage those requirements in the cloud.
PCI DSS requirements compliance when moving to the cloud
Managing and maintaining compliance with PCI DSS requirements when moving to a cloud computing service can be challenging, but organizations can maintain PCI DSS requirements compliance through careful analysis and strategic planning. In this tip from SearchCloudSecurity.com Ed Moyle explains how.
This was first published in August 2011